SBOMs That You Can Trust - The Good, the Bad, and the Ugly

Explore the critical aspects of ensuring trustworthy Software Bill of Materials (SBOMs) in this 29-minute conference talk from the Cloud Native Computing Foundation (CNCF). Delve into the often-overlooked elements of SBOM reliability throughout its lifecycle, from generation to storage, distribution, and processing. Learn to identify potential pitfalls and ask crucial questions about your organization's SBOM practices. Discover how to leverage open-source tools and specifications such as in-toto attestations, Content Addressable Store, Supply-chain Levels for Software Artifacts (SALSA), and Sigstore to create uniquely identifiable, unforgeable, complete, and accessible SBOMs. Gain insights into implementing end-to-end SBOM solutions and other metadata like VEX and vulnerability scans that meet the highest trust standards required in future Software Supply Chains.

SBOMs That You Can Trust - the Good, the Bad, and the Ugly - Miguel Martinez & Daniel Liszka