Leverageing SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments.pdf

1、Leveraging SBOMS to Automate Packaging,Transfer,and Reporting of Dependencies Between Secure EnvironmentsCloudNativeSecurityConP R E S E N T E RI a n D u n b a r-H a l lJ e r o d H e c kDAT EFe b 2 n d 2 0 2 32023 Lockheed Martin CorporationIntroductionsIan Dunbar-HallLockheed Martin Software Factor

2、y Chief EngineerJerod HeckLockheed Martin Software Factory Product ArchitectPremiseCommon Practice SBOMS are often a build artifact and used for compliance or trackingConsider SBOMs as a packaging definition or interface What if it were used to package dependencies instead of just an artifact?It bec

3、omes a package type independent method for defining dependenciesProblemIt sucks being a developer in disconnected strict environments!Slow to get packages approved Slow to get package updates Way too much paperwork Lots of“rinse and repeat”Is there a way to Automate the patching,compliance,and deliv

4、ery of build dependencies to”strict environments”?Can this be done using existing tooling?Can this be automated for multiple teams in a single dataflow?Can many artifacts be collected from many different sources at once?HopprTMis a framework for defining,validating,and transferring dependencies betw

5、een environments usingSoftware Bill of Materials(SBOM)Open Source Standards.HopprTMis a solution for delivering a well-defined,repeatable bundle to secure environments combating customer problems with digital asset delivery.Leveraging Other Excellent ProjectsAutomate Dependency Updates Renovate dete

6、cts updates to packages,container images,and other projects in gitlab.Semantic version generate Semantic Release used to create semantic versioned releases based on conventional commit messagesWhen pair together,you have the ability to create semantic versioned SBOMs which are updated automatically