Elevator Pitch
To improve cybersecurity, especially supply chain security, SBOM (Software Bill of Materials) is no longer an alien term for software and will be expected to come with software distributions. Open source projects have also been keeping up to provide SBOM. Are you ready to hop on the SBOM train?
Description
Since Software Bill-of-Materials documents are now available for CPython, we can learn from CPython how it has been done and what challenges it has. We can also see how SBOM can serve its purpose - to provide transparency of the composition of software and provide easy tracking of any potential vulnerability in its supply chain. We will approach it from the perspective of someone who has not heard of SBOM or is not so sure what SBOM is.
Target audience
Engineers and project maintainers who cared very little about SBOM and supply chain security in the past and were not familiar with SBOM and SPDX. Plus anyone who does not have a lot of experience but is interested in learning about open source security.
Goal
To draw awareness in open source security, especially supply chain security. To provide educational information about how to set up SBOM with the help of SPDX.
Outline
- What is SBOM
- Why we need SBOM
- CPython SBOM case study
- success and challenges
- usage of SPDX
- Do you need SBOM?
- Conclusion
- Call for action