logo
securityArticlesConferencesPresentations

GitBOM: Repurposing Git’s Graph for Supply Chain Security & Transparency

Conference:  SupplyChainSecurityCon 2022

2022-06-21

Authors:   Ed Warnicke, Aeva Black

Summary

The presentation discusses the need for simplicity in addressing supply chain security in open source software communities. The speaker proposes the use of a canonical, unique, and immutable identity for software artifacts to simplify the problem space.
  • Software artifacts can be represented as an array of bytes and should have a unique, canonical, and immutable identity
  • Identity should be based on the byte array representation of the artifact
  • File names, locations, and URLs are not suitable for identity
  • Simplifying the problem space requires a change in perspective
  • Focusing on simplicity leads to reliability, performance, and security
The speaker shares their experience of learning about the aerospace industry and the mistakes made in managing software releases. They emphasize the importance of remembering past mistakes to avoid them in the future. The speaker also shares their experience of entering the supply chain space and being overwhelmed by the complexity of the problem. They suggest a change in perspective to simplify the problem space.

Abstract

What if we could know the complete and reproducible artifact tree for every binary executable, shared object, container, &etc – including all its dependencies – and you could efficiently cross-reference that against a database of known vulnerabilities *before* you deploy? If you had had that information, could you have remediated Log4Shell faster? Might it even help open source maintainers identify at-risk dependencies sooner? If you're thinking, "this sounds too good to be true - what's it going to cost?", then we really hope you’ll join us because we believe this should be an automatic part of open source build tools. In this talk, Aeva and Ed will share why they're so excited about GitBOM and explain what it is (hint: it's not git and it's not an SBOM). If the demo gods are willing, they will show you how you can generate a GitBOM with a simple command-line tool, and explain why you won't have to. Finally, if you want to add support for GitBOM to your favorite tool or language, this talk will give you enough information to get started.
Materials:
Tags:
binary executables
shared objects
containers
Dependencies
known vulnerabilities

Post a comment

Related work

Keynote: The CNCF Sandbox: An Exploration and Guided Tour

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Justin Cormack

SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Brandon Lum, Chris Phillips
2022-10-26

Improve Vulnerability Management with OCI Artifacts – It Is That Easy!

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Itay Shakury, Toddy Mladenov
2023-04-20

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

Standardization and Security - A Perfect Match

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ravi Devineni, Vinny Carpenter

TechDocs: Unlocking the Potential of Engineers' Collective Knowledge

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Emma Indal