Davor Frkat
Automotive security by day, minority activist by night. A stickler for details, passionate about data ethics and security tools that make sense. Allergic to checkbox security.
Session
This talk is about the nasty corner cases in generating an SBOM. A noble and justified demand, by both customers as well as regulators alike, but with so many more obstacles than initially expected. We were naive. We thought "how hard can it be to list all software components in a product?".
With increasing regulatory demand i.e., the cyber resilience act, we would like to share some of the observations we made. Some of the challenges we encountered will seem familiar to people working on the subject, some may be completely new for you. They will cover legacy software, how naming things can be hard, technical debt, issues with the NIST CVE data enrichment (or lack thereof), and more.
Spoiler: AI won't help you here.