Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google

less than 1 minute read

Abstract

How do you catalog all the software of Google? This is what was asked of Google from the US White House Executive Order 14028. When the memo dropped stating that we’d need to be ready to provide SBOMs in 6 months, there were a ton of questions… Which products need to have an SBOM? Which format? What tooling? Who’s responsible? Where do we store them? SBOM requirements? Legal? Privacy? In this talk, we will show how Google went from 0 to 100M SBOMs in 6 months, giving insight into the process, principles and lessons learnt. We will chat through both organizational challenges such as translating requirements, getting together many different teams (products, builders, infrastructure, legal, federal etc.), as well as engineering principles such as having builders play a key role in the SBOM generation process, attested SBOMs, and how “less is more”. We will show how our solution was built on top of LF/CNCF technologies like SPDX, SLSA, and Intoto.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Kubernetes Security Blind Spot: Misconfigured System Pods - Shaul Ben Hai, Palo Alto Networks