An Insider’s Guide to SPDX

Presented by

Gary O’Neall, Co-Lead, SPDX Tech Team | Founder, Source Auditor

About this talk

SPDX (Software Packet Data Exchange) is a widely used software bill of materials (SBOM) specification. It’s one of two full-stack SBOM standards approved under the U.S. government’s 2021 cybersecurity executive order, and it supports a number of important software supply chain management use cases. Although SPDX has been around for over a decade (the original v1.0 was released in 2011), the specification has evolved significantly over the years, up to the current v2.3. Today, organizations can leverage SPDX to support a broad range of initiatives (including supply chain security), with a wide range of customizations and formatting options. Join Gary O’Neall, Tech Team Lead at SPDX, for a webinar on the specification, its evolution, and best practices for using it efficiently and effectively. We’ll discuss: -The SPDX big picture: document structure, file formats, and internal vs. external SBOMs -Typical SPDX data fields: required minimum elements, recommended elements, and useful add-ons -SPDX security use cases and how the current v2.3 supports them -Strategies for generating and maintaining SPDX SBOMs
Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (60)
Subscribers (6417)
Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for vulnerability management, license compliance, and code quality across the open source stack. With FOSSA, engineering, security, and legal teams all get complete and continuous risk mitigation for the entire software supply chain, integrated into each of their existing workflows.