Technical Workshop : (Hands-On) Practical Masterclass On SBOM : Building Block In Software & Supply Chain Security

Trainer: Anant Shrivastava & Kumar Ashwin

Anant Shrivastava (BlackHat Asia/USA, Nullcon Trainer)

BlackHat Asia/USA, Nullcon Trainer

Anant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various bsides and defcon groups.

Kumar Ashwin (Bsides Trainer)

Bsides Trainer

Kumar Ashwin is a seasoned security professional with expertise in web, cloud, and software supply chain security. He's active in security communities like The Open Security Community and DEFCON Cloud Village, contributing through talks and developing Capture The Flag challenges. Ashwin's experience spans from offensive security to security engineering, providing unique insights at conferences like x33fcon and BSides. He plays a key role in enhancing organizational security postures. Discover more at his blog: h!ps://krash.dev.

Workshop Duration: 2 Days, 12 Hours
Date: 30th-31st May, Thursday, 2024

Description:

SBoM’s are one of the most focused entities in current secure development paradigm. However, focus is solely on creation of SBoM owing to its compliance requirements it’s been focused as another checkbox at this point. However, SBoM’s for the first time in a long run is trying to solve the right problem i.e. Inventory. While we believe that SBoM on its own is not the final solution for supply chain security issues, we also strongly believe it’s a solid step in the right direction. Hence, we have come up with this SBoM Masterclass where we wanted to focus on not just creation but consumption and usage of SBoM. SBoM being the inventory has a myriad usage that goes beyond the limited scope of just third- party library vulnerability status detection. This course focuses on different usage and identifies scenarios where SBoM would be useful.

Course Abstract : 

Supply chain security is an ever-present threat looming over organizations. Software Bill of Materials (SBOMs) are a critical piece of the puzzle, yet the process of creating, managing, and utilizing SBOMs is enveloped in mystery for many. This training demystifies the subject, offering hands-on expertise to practitioners caught during this challenge. This masterclass adopts a practical and focused approach, starting with an understanding of what SBOMs are, followed by the processes of creating, storing, and validating them. We then delve into how maintaining such an inventory can help organizations prioritize their security efforts from a supply chain perspective.

Workshop Agenda:

Day 1: SBoM Basics

1. Understanding Supply Chain Security

2. Where does SBoM Fit into the Picture

3. Basics of SBoM

   • Introduction to SBOM concepts, purposes, and benefits.

4. Types of SBoM

   • Overview of different SBOM formats (SPDX, SWID, CycloneDX).

5. Creation and Validation of SBoM

   • How to Create SBoM.
   • How to Establish Provenance.
   • Where to Store Provenance.
   • How to Validate Provenance.
   • ©Cyfinoid Research 3

6. Automated SBoM Creation

   • Full Cascading SBoM (all-encompassing SBoMs for multi-level dependency trees).

7. How to Use SBoM

   • SBoM for Dependency Upgrades for Projects: Managing and upgrading project dependencies.
   • SBoM for Vulnerability Identification: Leveraging SBOM for vulnerability detection.
   • Identifying Most Used Third-Party Dependencies across projects.
   • Understanding dependency usage patterns.
   • Dependency Map Across Projects: Visualizing dependencies and their relationships.
   • Auditing Projects Using SBOM: Conducting project audits using SBOM data.
   • License Validation via SBOMs: Ensuring licensing compliance.

Day 2: Enhancing SBoM

1. Isolate False Positives
   • Differentiating real threats and false positives.
2. VDR and VEX Reports
   • Utilizing VDR and VEX in the SBOM context.
3. Advanced Dependency Tracking
   • Deeper analysis of indirect dependencies.
4. Automated Compliance Checks
   • Ensuring SBOM compliance with automation.
5. SBOM Data Visualization
   • Visual tools for complex dependency analysis.
6. Integrating SBOM with Incident Response Plans
   • Leveraging SBOM in cybersecurity incidents.
7. Beyond SBoM
   • Cryptographic Bill of Material.
   • SaaS Bill of Material.
   • More xBoMs and how to generate them.

Candidate Requirements:

You need to bring:

Our labs are cloud based, and a browser should be sufficient. However, we will still suggest following hardware specs:

• Laptop with working browser & unrestricted internet access (at least port 80 and 443. However, some web-socket connections might be required.)
• We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required.
• A!endees will need to come with a GitHub account. A fresh organization would be created for all the operations. Any other associated tooling will be provided over a cloud VM for this activity.

Who Should Attend ? 

• Software Developers and Engineers
• IT Managers
• Security Analysts
• DevOps Practitioners
• CTOs and Decision Makers in IT

Set Expectations:

• Hands on session

Expected Audience Level

• Beginner / Intermediate
• A!endees need to have a basic understand of software development life cycle. We will cover SBoM from start to finish but awareness of general development practices, git and GitHub usage is expected from them. Course assumes basic familiarity with command-line and Linux.

What Students Will Be Provided With ? 

• Very Detailed step by step instruction manual for all challenges covered during the class.
• A Slide deck containing the slides covered during the class
• A set of Cloud Virtual Machine with all required tools pre-configured

 >>Block My Seat For Workshop Session