New SBOMs for Old Systems

Kurzbeschreibung

New regulation is coming, and commercial software is required as the bare minimum to supply a Software Bill of Materials (SBOM) that lists all third-party dependencies. For some software, this just works. However, for legacy systems with a lot of history, assembling a reasonable SBOM as part of the build is already a formidable task.

We are in the process of doing so for a multi-million LoC C++/C# desktop software portfolio. In this talk, I want to share and abstract from our experiences. In particular, I want to talk about:

* What is an SBOM, why is it required, and what must be included?
* Assuming you have an SBOM, there are processes attached, for example, a vulnerability search. What surprises lurk there?
* And finally: How do you create an SBOM for such a legacy system?

Nutzen für den Teilnehmer:
On multiple occasions, I got the impression that people think that this whole SBOM issue just works:
Grab some CycloneDX tool, upload the resulting SBOM to DependencyTrack or whatever commercial tool you bought, and then you just need to configure some policies.
When you have legacy software, preferably C++ with many build quirks, such simple processes just do not work.
There are no good tools, some dependency metadata cannot be extracted automatically, software identifiers (CPEs) are a mess and cannot be assigned automatically, and the list goes on.

The goal of the talk is not to show code nor to show tools, it is about basic understanding.
What do you want to do with your SBOM, what problems can you expect.
I want to present a mental model for the downstream processes (vulnerability search etc.), and the goals, prerequisite work etc. for actually creating the SBOM.

Behandelte Problemstellungen:
I need to assemble an SBOM for my build. What do I have to do?

The developers will manage to get some SBOM out of their build. What do I have to look out for when setting up downstream processes (license checks, vulnerability search, ...)?

Vortragssprache: Englisch
Level: Einsteiger
Zielgruppe: Developers, Architects, Build system engineers

Unternehmen:
PTV Planung Transport Verkehr GmbH

Vorgetragen von:
Ulf Lorenz

Ulf Lorenz