Talk

SBOMs: Essential for Embedded Systems too!

Watch Now

56:13

EOC 2022

Login to Watch

Kate Stewart

Kate Stewart works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. Kate was one of the founders of SPDX, and is currently the specification coordinator. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects, among others, and oversees other embedded projects hosted by the Linux Foundation. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed software development teams in the US, Canada, UK, India, and China. She received her Master's in computer science from University of Waterloo and Bachelor's of computer science from the University of Manitoba.

View full profile

Topics Covered

High Reliability Software RTOS Security Open Source

Talk

SBOMs: Essential for Embedded Systems too!

Kate Stewart

56:13 EOC 2022

Kate Stewart

56:13

With the recent focus on improving Cybersecurity, the expectation that a Software Bill of Materials (SBOM) can be produced, is becoming the norm. Having a clear understanding of the software running on an embedded system, especially in safety critical applications, like medical devices, energy infrastructure, etc. has become essential. Regulatory authorities have recognized this and are starting to expect it as a condition for engagement. Safety critical certifications require this level of information already, it just needs to be shared in a standard format so others can do better risk management and vulnerability analysis, as well. This talk will provide an overview of the emerging regulatory landscape, as well as examples of how SBOMs are already being generated today for embedded systems by open source projects such as Zephyr, Yocto and others.

1 / 5

Please log in or create an account to test your knowledge and see the answers.

What main reason did Kate Stewart give for the recent surge of interest in SBOMs for embedded systems?

A To reduce build times by caching components across teams

B To improve security by quickly determining whether products are affected by vulnerabilities in their software supply chain

C To replace safety certifications for regulated devices

D To eliminate the need for open source licenses

E To standardize only the human-readable documentation of components

According to the NTIA-backed SBOM definition Kate described, which set of elements represents the minimum viable contents of an SBOM?

A Only the list of known vulnerabilities and their CVEs

B Supplier name, component name, file name, and a globally unique identifier (e.g., hash or registry ID)

C A PDF summary of components with screenshots for human review

D Only the runtime configuration used on a deployed device

E Only a developer's notes and build-time scripts

Which types of SBOMs did Kate say are most useful during procurement and development?

A Deployed SBOMs that record runtime invocation and configuration

B Binary SBOMs produced by reverse engineering only

C Source and build SBOMs that capture what was pulled into and produced by the build

D License-only manifests for legal review

E Performance SBOMs that list real-time resource usage

If you receive only a binary from a vendor (no source or build info), what approach did Kate recommend?

A Assume the binary is safe if the vendor is well-known; no further action needed

B Discard the binary and demand a full source tree before continuing

C Perform binary analysis to discover metadata and ask the vendor for a binary SBOM as authoritative metadata

D Treat the binary the same as a source SBOM and record build-time dependencies

E Rely solely on runtime intrusion detection to discover vulnerabilities

Which SBOM data formats did the NTIA guidance recommend as supporting the minimum elements today?

A Only proprietary vendor XML schemas

B SPDX, CycloneDX, and SWID tags

C Plain text README files and CSV exports

D JSON-only custom manifests with no standard relationships

E PDF reports generated by manual inventories

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

No comments or questions yet. Be the first to start the conversation!

Partners & Sponsors

Percepio

Edge Impulse

STMicroelectronics

Renesas

Amazon AWS

The Qt Company

NXP

TUXERA

XMOS

Timesys

Saleae

Become a Sponsor