Introduction to Software Bill of Materials

What is an SBOM (Software Bill Of Materials) and why should you care? An SBOM is a critical cybersecurity component to keep track and catalog what is installed (and at what versions) in production environments. With recent cybersecurity threats, SBOMs play an important role to implement a remediation strategy when threats and vulnerabilities are reported. Without an SBOM, it is borderline impossible to detect what exactly is released into production, and what may be vulnerable today.
Topics include:
* Understand the concepts behind an SBOM
* Create an SBOM and use different output formats like CycloneDX to import into other systems
* Use an SBOM to detect CVE and other vulnerabilities associated with installed software
* Capture information about pre-installed system dependencies and nested dependencies
* Use CycloneDX and other machine-readable formats like JSON to import outputs into other systems
A few resources that are helpful if you are trying to get started with SBOMs, generating them and using them to capture vulnerabilities:
* A simple, user-friendly SBOM generator: Syft
* A fast vulnerability matcher that uses SBOMs as input: Grype
* The CycloneDX format