Przemyslaw Roguski (Red Hat, PL)
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
---
SBOMs have the intent and hope to provide transparency to ‘consumers’ of software with a list of the ‘ingredients’ that compose an application. SBOMs help with reviews for procurement,in what is included in a set of software applications/libraries, and provide general information on the composition of a software product. They also provide a basis for establishing a vulnerability program as part of an organization’s Risk Management approach. Red Hat Product Security publishes an official Red Hat Build SBOM (software bill of materials) to aid downstream consumers in addressing these concerns.
In this talk we will discuss a general overview of what an SBOM is, what types of SBOMs can be produced by vendors, how to understand the individual components of an SBOM (products, software components and their dependencies) from an Open Source Software ‘producer’s’ perspective. We will show our approach to SBOM production, why and where SBOMs are important in the Security Development Lifecycle (SDLC).
Main topics to be covered in this session include:
- What exactly is an SBOM
- SBOM types vendor / producers should really consider
- SBOM and software product lifecycle, how they work together
- SDL phases of the product lifecycle
- SBOM’s role and place in SDLC
- Red Hat SBOM implementation and publishing lessons
This talk is designed for security professionals, compliance officers, compliance auditors and everyone who works on the supply chain aspects of software.
8 май 2024
