SBOMs and SPDX: Now and in the Future

Presented by

Gary O'Neall, Source Auditor and Phil Odence, Synopsys

About this talk

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs). Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project). With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format. SPDX is a standard format for SBOMs. Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models. In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification. We will touch on what goes into making a quality SBOM. At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).
Related topics:

More from this channel

Upcoming talks (21)
On-demand talks (188)
Subscribers (59363)
Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that’s best for them. Only Synopsys offers everything you need to build trust in your software.