Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google
Abstract
How do you catalog all the software of Google? This is what was asked of Google from the US White House Executive Order 14028. When the memo dropped stating that we’d need to be ready to provide SBOMs in 6 months, there were a ton of questions… Which products need to have an SBOM? Which format? What tooling? Who’s responsible? Where do we store them? SBOM requirements? Legal? Privacy? In this talk, we will show how Google went from 0 to 100M SBOMs in 6 months, giving insight into the process, principles and lessons learnt. We will chat through both organizational challenges such as translating requirements, getting together many different teams (products, builders, infrastructure, legal, federal etc.), as well as engineering principles such as having builders play a key role in the SBOM generation process, attested SBOMs, and how “less is more”. We will show how our solution was built on top of LF/CNCF technologies like SPDX, SLSA, and Intoto.