September 13-16, 2022
Dublin, Ireland + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Irish Standard Time (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 13 • 12:00 - 12:40
Trusted-SBOM: On the Critical Importance of Verifying SBOMs - Haoxiang Zhang, Huawei & Ahmed E. Hassan, Queen's University

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
SBOMs are soon to become a defacto standard for communicating the content of a piece of software. Knowledge about such content is essential for many critical activities (e.g., vulnerability management and license compliance) for securing and ensuring the integrity of software. Today there are many open source and industrial initiatives/tools that focus on producing such SBOMs. However, simply producing an SBOM is not sufficient, instead we must ensure that such SBOMs are trustworthy. In particular, we must ensure that such SBOMs are accurate (not including incorrect dependencies) and comprehensive (not missing any actually-present dependencies). In this talk we advocate the critical importance of quantifying the trustworthiness of a produced SBOM. We provide examples of incorrect SBOMs, then present our efforts and toolsets to verify SBOM. In addition, we will discuss best practices to ensure the trustworthiness and traceability of the actual process that is used to produce the SBOM in turn ensuring that errors can be traced in a systematic manner and providing proof of attestation and due diligence through the whole SBOM generation process. We aim to trigger a community wide discussion on this important and critical topic while sharing our current efforts on this topic.

avatar for Haoxiang Zhang

Haoxiang Zhang

Researcher, Huawei Technologies Canada Co., Ltd.
Haoxiang Zhang is a researcher at the Centre for Software Excellence at Huawei, Canada. His research interests include empirical software engineering, mining software repositories, and intelligent software analytics. Contact haoxiang.zhang@acm.org. More information at: https://ha... Read More →

Ahmed E. Hassan

Professor, Queen's University
Ahmed E. Hassan is an IEEE Fellow, an ACM SIGSOFT Influential Educator, an NSERC Steacie Fellow, and the Canada Research Chair (CRC) in Software Analytics at the School of Computing at Queen’s University, Canada. His research interests include mining software repositories, empirical... Read More →

Tuesday September 13, 2022 12:00 - 12:40 IST
Liffey B Part 2 (Level 1)
  SupplyChainSecurityCon, Cyber Security Considerations