Webinar: How to Identify and Tackle SBOM Sprawl
0 likes•81 views
In modern software development, the Software Bill of Materials (SBOM) is pivotal, transforming how we manage security, compliance, and innovation. These aren't just static lists; they are dynamic sources of intelligence that can drive automation, reduce risk, and ensure continuous regulatory adherence. However, scaling your SBOM practice can inadvertently lead to "SBOM Sprawl" that hinders visibility and efficiency. Are your SBOMs empowering your strategy or creating complexity? Gain critical insights from industry leaders Alex Rybak, Director of Product Management, Anchore and Russ Eling, Founder, OSS Consultants in this educational webinar.
Webinar: How to Identify and Tackle SBOM Sprawl
- 1. How to Identify and Tackle SBOM Sprawl Webinar | April 22, 2025
- 2. Housekeeping 2 01 02 03 All participant lines are muted Questions will be accepted throughout, enter questions via Zoom You will receive a follow-up email with a link to the recording
- 3. Introductions Russ Eling Founder of OSS Consultants Alex Rybak Director, Product Management at Anchore
- 4. Today’s Agenda 4 01 02 03 Introduction to SBOMs Understanding SBOM sprawl Strategies and best practices to reduce and manage SBOM sprawl 04 How we can help
- 5. Introduction to SBOMs 5 An SBOM is a nested inventory, a list of ingredients that make up SW components ● Not a new concept; has been around in hardware for decades ● Provides transparency into software ingredients to assist with assessment and remediation ● Rapid increase in adoption the past few years ● Lots of great resources are available at https://www.cisa.gov/sbom
- 6. Regulations Driving SBOMs 6 ● Cyber EO 14028 & OMB Memo M-22-18 ○ Agencies must collect SBOMs from software vendors, especially for critical software ● SSDF: NIST SP 800-218 ○ Suggests documenting components (including third-party/open-source); essentially an SBOM ● Many Regulated Industries ○ Automotive (NHTSA) ○ Medical Devices (FDA Cyber Guidelines) ○ Energy (NERC) ○ Public Companies (SEC Cyber Rules: 8-K & 10-K) ● Standards Bodies ○ ISO 27001 United States European Union (EU) ● EU Cyber Resiliency Act ○ SBOMs required for software with digital elements ● NIS2 (Network and Information Security Directive 2) ○ Expands cybersecurity mandates for critical sectors: energy, healthcare, transport, finance, digital infrastructure, public services, etc. ● DORA (Digital Operational Resilience Act) ○ Aims to strengthen resilience in financial sector ● PCI DSS4 (Payment Card Industry Data Security Standard) ○ Requirement 6: Develop and Maintain Secure Systems and Software ○ Requirement 10.8.1: Responding to Indicators of Compromise (IoCs)
- 7. Understanding SBOM Sprawl 7 ● Multiple formats: CycloneDX, SPDX, proprietary ● Different tools generating SBOMs at various stages of development ● Inconsistent ownership across teams ● Lack of integration with security, compliance, and DevSecOps pipelines ● Data overload and inefficiencies: too many SBOMs with redundant or conflicting information; overlapping analysis and remediation efforts ● Compliance challenges: difficulty meeting regulatory requirements (e.g., EO 14028, NIST guidelines) ● Security gaps: inability to effectively monitor vulnerabilities and dependencies The proliferation of SBOMs across an organization without a centralized strategy Causes of Sprawl Impact of SBOM Sprawl
- 8. Strategies to Manage SBOM Sprawl 8 ● Use industry-recognized formats like CycloneDX or SPDX ● Consider compatibility with your existing security and compliance tools ● Centralize SBOM storage in an SBOM management system ● Automate SBOM generation, validation, updates, and alerts ● Integrate SBOMs into your development pipelines and security tools ● Continuously monitor SBOMs for new vulnerabilities Standardize ● Define clear roles and responsibilities for SBOM management ● Educate your teams ● Ensure compliance with regulations and internal security frameworks Governance and Ownership Integrate and Automate
- 9. How Anchore Can Help 9 ● Construct SBOMs from repo, container, and runtime scans ● Import SBOMs from other tools or upstream vendors ● Report security issues: vulnerabilities, secrets, malware ● Enforce compliance via policy packs ● Integrate with Engineering toolchain ● Visualize changes over time ● Assess impact across organization ● Founded in 2016 in California by ex-Ansible / Red Hat / Eucalyptus Founders ● Creators of Syft and Grype with 30 million downloads ● Anchore Enterprise deployed in the DOD and the largest technology vendors in the world since 2018
- 10. How OSS Consultants Can Help 10 ● Full service consultancy for managing use of open source software ● Build complete open source management strategies for organizations of all sizes ● Scanning and audit of your codebases to build your SBOMs, and comply with licensing obligations ● Help organizations understand and manage the risks associated with open-source software use ● Provide efficient, comprehensive, and robust implementation of open source programs, and policies Your Trusted Partner in Open Source Management
- 11. Key Takeaways 11 01 02 03 Standardize on tooling and formats Establish governance and ownership Implement your process and controls 04 Integrate and automate
- 13. Next Steps Learn more about Anchore Enterprise: https://anchore.com/platform Learn more about OSS Consultants: https://ossconsultants.com OSPO Case Study with OSS Consultants & Blackberry: https://ossconsultants.com/blackberry-openchain-case-study/ Visit our GitHub and Discourse: github.com/anchore and anchore.com/discourse eBook: SBOM 101: https://get.anchore.com/sbom101-guide-for-devsecops-community/