Distributing SBOMs
Hi all,
During the IP summit, there was a question (I forget who posted it, sorry) about rules for distributing SBOMs, which caught my attention because I'd been wondering what the typical practices were at present. Are folks including SBOMs as part of installed software (e.g. part of the payload of a self-extracting installer or a managed package), via organisational websites, on demand, something else?
Thanks,
steve
|
|
|
|
Yaniv Ozerzon
Hi Steve, Including the SBOM with a distributed product is not a typical practice at present. The SBOM per se is not part of the standard compliance artifact. Nonetheless, following the white house Executive Order on Improving the Nation’s Cybersecurity, Kaspersky announced it will provide an SBOM with its products (https://usa.kaspersky.com/about/press-releases/2021_kaspersky-announces-software-bill-of-materials-available-for-its-customers-and-partners) if remember correctly also Microsoft declared the same although there was no official announcement as far as I know. Regards, Yaniv
From: main@... <main@...>
On Behalf Of Steve Kilbane via lists.openchainproject.org
Hi all,
During the IP summit, there was a question (I forget who posted it, sorry) about rules for distributing SBOMs, which caught my attention because I'd been wondering what the typical practices were at present. Are folks including SBOMs as part of installed software (e.g. part of the payload of a self-extracting installer or a managed package), via organisational websites, on demand, something else?
Thanks,
steve
|
|
|
|
For those of you interested the Telco group (https://lists.openchainproject.org/g/telco) is currently looking at and discussing best practices for SBOMs including distribution and
looking to documenting those as a best practice “guide/standard” going beyond the mere “dataformat” (i.e SPDX, CycloneDX, Something else).
BR J
From: main@... <main@...>
On Behalf Of Yaniv Ozerzon via lists.openchainproject.org
Hi Steve, Including the SBOM with a distributed product is not a typical practice at present. The SBOM per se is not part of the standard compliance artifact. Nonetheless, following the white house Executive Order on Improving the Nation’s Cybersecurity, Kaspersky announced it will provide an SBOM with its products (https://usa.kaspersky.com/about/press-releases/2021_kaspersky-announces-software-bill-of-materials-available-for-its-customers-and-partners) if remember correctly also Microsoft declared the same although there was no official announcement as far as I know. Regards, Yaniv
Hi all,
During the IP summit, there was a question (I forget who posted it, sorry) about rules for distributing SBOMs, which caught my attention because I'd been wondering what the typical practices were at present. Are folks including SBOMs as part of installed software (e.g. part of the payload of a self-extracting installer or a managed package), via organisational websites, on demand, something else?
Thanks,
steve
|
|
|
|
Thanks, Jimmy – subscription to the telco mailing list submitted!
(Apparently, I'd forgotten to do that earlier…)
From: main@... <main@...>
On Behalf Of Jimmy Ahlberg via lists.openchainproject.org
For those of you interested the Telco group (https://lists.openchainproject.org/g/telco)
is currently looking at and discussing best practices for SBOMs including distribution and looking to documenting those as a best practice “guide/standard” going beyond the mere “dataformat” (i.e SPDX, CycloneDX, Something else).
BR J
Hi Steve, Including the SBOM with a distributed product is not a typical practice at present. The SBOM per se is not part of the standard compliance artifact. Nonetheless, following the white house Executive Order on Improving the Nation’s Cybersecurity, Kaspersky announced it will provide an SBOM with its products (https://usa.kaspersky.com/about/press-releases/2021_kaspersky-announces-software-bill-of-materials-available-for-its-customers-and-partners) if remember correctly also Microsoft declared the same although there was no official announcement as far as I know. Regards, Yaniv
Hi all,
During the IP summit, there was a question (I forget who posted it, sorry) about rules for distributing SBOMs, which caught my attention because I'd been wondering what the typical practices were at present. Are folks including SBOMs as part of installed software (e.g. part of the payload of a self-extracting installer or a managed package), via organisational websites, on demand, something else?
Thanks,
steve
|
|
|