Practical SBOM Management with Zephyr and SPDX – Benjamin Cabé, The Linux Foundation
The Zephyr® Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe. Click here to learn more: https://www.zephyrproject.org
Practical SBOM Management with Zephyr and SPDX – Benjamin Cabé, The Linux Foundation
Writing secure embedded software is a challenging task. What’s more, what might be considered secure today may not be secure tomorrow. A Zephyr application is composed of many components, from the Zephyr kernel, to device drivers, to vendor HALs, to application code, and it can be difficut to exactly identify the components you’re depending on to be able to assess whether you’re vulnerable to a particular CVE or not. This talk will show you in very practical terms how to leverage state of the art standards and tools to precisely identify the “manifest” (a.k.a. Software Bill of Materials, SBOM) of your Zephyr application, and how to use that information to assess your security posture and to respond to security incidents. We will demo a variety of tools that you may want to add to your development workflow to generate Zephyr SBOMs, visualize the information they contain, check them against known vulnerabilities, and more.
by The Zephyr Project
linux foundation
