Home > On-Demand Archives > Theatre Talks >

Practical SBOM Management with Zephyr and SPDX

Benjamin Cabé - Watch Now - EOC 2024 - Duration: 34:35

Practical SBOM Management with Zephyr and SPDX
Benjamin Cabé

Writing secure embedded software is a challenging task. What's more, what might be considered secure today may not be secure tomorrow. A Zephyr application is composed of many components, from the Zephyr kernel, to device drivers, to vendor HALs, to application code, and it can be difficult to exactly identify the components you're depending on to be able to assess whether you're vulnerable to a particular CVE or not.

This talk will show you in very practical terms how to leverage state of the art standards and tools to precisely identify the "manifest" (a.k.a. Software Bill of Materials, SBOM) of your Zephyr application, and how to use that information to assess your security posture and to respond to security incidents.

We will demo a variety of tools that you may want to add to your development workflow to generate Zephyr SBOMs, visualize the information they contain, check them against known vulnerabilities, and more.

M↓ MARKDOWN HELP
italicssurround text with
*asterisks*
boldsurround text with
**two asterisks**
hyperlink
[hyperlink](https://example.com)
or just a bare URL
code
surround text with
`backticks`
strikethroughsurround text with
~~two tilde characters~~
quote
prefix with
>

Bartlomiej
Score: 0 | 2 months ago | 3 replies

Do you plan to add the ability to generate SBOM to the west twister command?

kartbenSpeaker
Score: 0 | 2 months ago | 1 reply

Hi!
Twisted is used to run unit tests, so could you elaborate on what you exactly mean as I am not sure I understand the question :) Cheers!

Bartlomiej
Score: 0 | 2 months ago | no reply

You can also build projects with Twister. In the *.yaml file, you can indicate that twister should create several binary files based on the configuration indicated there (additional kconfigs, additional shelids, various programming libraries, etc.). Therefore, it would be easier if twister could have the option to generate SBOM files. It is easier to integrate it on CI where we require that an SBOM be generated for each binary in my company. I may have mixed something up.

Bartlomiej
Score: 0 | 2 months ago | no reply
This post has been deleted by the author
Bartlomiej
Score: 0 | 2 months ago | no reply
This post has been deleted by the author

OUR SPONSORS

OUR PARTNERS