johnandersen777 / dotfiles

The Unlicense

1 stars 1 forks source link

SBOM #2

Open johnandersen777 opened 2 months ago

johnandersen777 commented 2 months ago

2024-09-11 SBOM-a-Rama Day 1

OWASP Transparency Exchange API (TEA)
- Olle (who's also from SCITT) Project Kowola
- https://github.com/cyclonedx/transparency-exchange-api
- TEI - Transparency Exchange Identifier
- Uses UUIDs, could use CUUIDs
- You transfer SCITT statements using the API, it's an API for federation
Tiger Teams at CISA
- Information Sharing Center and Analysis Center as SBOM Distributors
- Terminology
  - SBOM Distributor
  - Potentially not public info
  - Discovery
    - Trying to solve am I affected by log4j problem
    - How can consumers find them
    - How can we make producers and consumers known to each other
    - Access control
    - Centralized
- They have a methodology for other ISAC's to follow for effectively federation but manual
- AIBOM Tiger Team
- https://github.com/aibom-squad/AIBOM-Tiger-Team
- OpenSSF AI/ML Security Weekly is the hour before
  - https://zoom-lfx.platform.linuxfoundation.org/meeting/97349085860?password=3d2b70af-6d20-4b45-ac5b-de4e99e964ae
- Bi-weekly, Mondays at 2pm ET
  - https://zoom.us/j/99364733823?pwd=4aC6gbL1LppjBP3AuaSzr1XNHky4YP.1
  - Meeting ID: 993 6473 3823
  - Passcode: 283563
- Did a workshop at RSA to align specs and implementations on feasibility
- Aim is to produce best practice methodology docs
- BOMOPs Tiger Team
- Finished scoping
- Currently discussing and refining use cases
  - Track EOLs
  - Find XKCD fails
Questions
- [ ] Selective disclosure