Blue Team Set Us Up The SBOM
2019-11-08, 18:40–18:50 (US/Pacific), Blue Day

What if spotting vulnerabilities in your VPN, was as easy as checking for allergens in your applesauce? A Software Bill of Materials (SBOM) brings proven supply chain principles to modern software systems.


If there's asbestos in your home or allergens in your food you'd want to know about it, right? What about Heartbleed in your VPN or Eternal Blue in your backup server, would you want to know about those too? Want to know if you’re impacted by the next critical vulnerability with a six-second SQL query rather than a series of scans?

Well-tested traditional supply chain approaches can yield enormous blue team benefits when applied to modern software environments. For instance, a Software Bill of Materials (SBOM) simply lists software components in a system (and their components...and their components...all the way down). Savvy dev shops have used SBOMs to gain agility and reduce costs for years; defenders are starting to use them to check for risky software components and map a system’s known vulnerabilities.

After this talk, you’ll be able to empower the acquisition team to select better options, and more quickly know whether, where, and how you’re affected by the next big bug.

Beau wears a lot of hats, all white. He has hacked medical devices, won Best Mustache at Movember London, evaded Russian Mafiosi near Moscow, brought members of Congress to DEF CON, and learned to throw a curve from a major league pitcher. Beau also helps lead I Am The Cavalry, holds a Fellowship with the Atlantic Council, is Founder/CEO of Stratigos Security, DEF CON Goon, Village organizer, BSidesLV staff, runs Hackers on the Hill, has a BS in Psychology from Georgia Tech, and lives in DC.