Understanding Software Bills of Materials (SBOMs)

This chapter explores the importance of Software Bills of Materials (SBOMs) in managing software supply chain risks, particularly focusing on open source projects. It discusses the challenges in standardizing SBOM formats and highlights the necessity of understanding project dependencies and compliance with licensing. The chapter also emphasizes the proactive measures organizations can take to ensure project health and educate developers about the implications of using open source software.

Transcript

chevron_right

Play full episode

chevron_right

Transcript

Episode notes

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 109

In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more!

[00:00:21] Our guests introduce themselves and their backgrounds.

[00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components.

[00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed.

[00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns.

[00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021).

[00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies.

[00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later.

[00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness.

[00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.”

[00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration.

[00:27:36] Cali shares Red Hat’s efforts to define what makes a project vulnerable and how it’s focused on detecting and sunsetting unmaintained dependencies.

[00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White.

[00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25.

Value Adds (Picks) of the week:

[00:36:08] Georg’s pick is building a platform for his dog to look out the window.
[00:37:06] Brittany’s pick is spending time with Georg and Cali.
[00:38:12] Cali’s pick is her great support system since having ACL surgery.

*Panelist: *
Georg Link

Guests:

Cali Dolfi

Brittany Istenes

Links:

CHAOSS

CHAOSS Project X

CHAOSScast Podcast

podcast@chaoss.community

Georg Link Website

Britany Istenes LinkedIn

Brittany Istenes GitHub