Home > On-Demand Archives > Talks >

SBOMs: Essential for Embedded Systems too!

Kate Stewart - Watch Now - EOC 2022 - Duration: 56:13

SBOMs: Essential for Embedded Systems too!
Kate Stewart
With the recent focus on improving Cybersecurity, the expectation that a Software Bill of Materials (SBOM) can be produced, is becoming the norm. Having a clear understanding of the software running on an embedded system, especially in safety critical applications, like medical devices, energy infrastructure, etc. has become essential. Regulatory authorities have recognized this and are starting to expect it as a condition for engagement. Safety critical certifications require this level of information already, it just needs to be shared in a standard format so others can do better risk management and vulnerability analysis, as well. This talk will provide an overview of the emerging regulatory landscape, as well as examples of how SBOMs are already being generated today for embedded systems by open source projects such as Zephyr, Yocto and others.
italicssurround text with
boldsurround text with
**two asterisks**
or just a bare URL
surround text with
strikethroughsurround text with
~~two tilde characters~~
prefix with

No comments or questions yet. Will you be the one who will break the ice?

09:44:53	 From Nathan O. : Does software supply chain also include script and software used by the developpers during development phases only ?
09:45:37	 From Phil Kasiecki : I'm looking forward to checking out the Zephyr Developer Summit as I'm intrigued by Zephyr (and that began with your excellent presentation at this event last year)
09:45:42	 From Patrick Little : Is there a recommended approach when using vendor specific toolchains like iAR or Keil?
09:46:52	 From Leandro Pérez : I tried start with Zephyr on the ESP32... However I have many problems to set the enviroment to compile it :( I don't continue with it… What advise can you give me?
09:47:18	 From Nathan O. : Is there any easily accessible tools for building SBOM for projects that don't use either Zephyr nor Yocto ?
09:48:26	 From Leandro Pérez : Thanks Kate
09:57:04	 From Al Anway : There are recent horror stories of package authors sabotaging their components which then break hundreds or thousands of downstream projects.

I've been evaluating different Linux distributions and have been concerned about the danger of allowing the installed distro to update itself.  How can users know whether it's safe to allow this?  Is there SBOM adoption among distro authors and how do we find out for a given distro?
09:57:54	 From Michael Kirkhart : I believe this has mainly occurred in the node.js ecosystem.
09:58:24	 From Leandro Pérez : All is connected now je je
10:00:08	 From Leandro Pérez : Sure Katen… Thanks
10:00:15	 From Nathan O. : Thanks !