Beyond the Code / SBOM: Supply Chain Security
Supply Chain security is the new buzzword of the town and everyone is gaga about it. After the executive order and SSDF / SLSA documents being released, every single vendor has added SBOM capabilities and declared the problem solved. The problem is its not solved, Supply chain security is not a new problem and sbom is not the final solution. This talk wants to throw lights on supply chain security overview and then address following points.
- How supply chain security is a age old concept.
- What has changed in last few year and how that affects this problem space
- At a broader level how SLSA / SSDF are trying to address the problem.
- What is still missing in market and what is needed to be done beyond buying tools.
We will start by exploring how software supply chain problems have existed in past already, We will then talk about sbom’s what they really are and what they can do. we then focus on the shortcomings of the formats and especially where gaps occur (for example the place to record which compiler version was used to compile the code). After we have looked at sbom we will explore different scenarios where current sbom would not have helped in any ways (this includes solarwind if you are wondering) We then explore how different bodies have attempted to tackle it from npm’s trying to isolate packages, to debian trying to control central repositories, pros and cons on each side. We will then focus on how paradigm shift such as IaC and provinence tools could be of help what they can do and can’t do. we will then conclude the talk around SSDF / SLSA as frameworks to start tackling the problems but also to give people a clear idea where tooling can help and where policies and process would be helpful.
This talk is especially useful for practitioners who want to understand what is going on and how to start looking at these frameworks to put some protection in the environment.