Looking into the Closet from Code to Cloud with Bills of Material

With the growing ecosystem of Bills of Material (BOM), it becomes more challenging to know how tools and BOM output differ. This hands-on tutorial will look at the types of BOM (SBOM — Software, IBOM — Infrastructure, KBOM — Kubernetes) from Code to Cloud resources. BOMs will be generated with Trivy, Syft, and Microsoft SBOM. The BOM output will be compared based on security implications and quality with the sbom-comparator by Lockheed Martin to explain the difference between shared and unique results. As part of a live demo, we will demonstrate the benefits of using BOMs as input for security scans and integrate VEX documents to reduce the noise of vulnerability scans.

Speaker

  • Anaïs Urlichs
    Anaïs Urlichs
    Aqua Security

    Anaïs is a Developer Advocate at Aqua Security, where she contributes to Aqua’s cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she worked on infrastructure for hundreds of tenant clusters. Her passion lies in making tools and platforms more accessible to developers and community members.

Date

Jun 18 - 19 2024