Presented at
Diana Initiative 2022,
Aug. 10, 2022, 11 a.m.
(60 minutes)
In this presentation, we demonstrate a proof of concept illustrating how the accuracy and efficacy of the software bills of material generated from source code, build-time and run-time can assist an organization to systematically reduce the open source software security risk. First we walk you through the existing open source tools that we examined for SBOM generation, enumerate the challenges we faced employing them to generate SBOM. Then, we outline the use cases of SBOM. This includes how security teams can take initiatives based on the information extracted from SBOM to run a company-wide program for software life cycle management. We use a purple teaming approach to prioritize vulnerabilities based on information obtained from SBOM. This talk is an enabler for everyone who wants to improve their overall open source software security at scale.
Presenters:
-
Trupti Shiralkar
- Datadog
Trupti Shiralkar is a security engineering manager at Datadog. She is passionate about implementing a holistic approach to security and privacy by design and believes in scaling product security through “Shift-to-left” transformations. She holds a Master of Science degree in Information Security from Johns Hopkins University Information Security Institute (JHUISI) and several security certifications. Trupti’s industry experience ranges from Fortune 500s to startups, including Illumio, Amazon, Hewlett Packard, Q2Ebanking and ATSEC Information Security. She holds a patent for secure and anonymous electronic polling. She is also a certified meditation instructor and loves teaching meditation techniques to strike work life balance.
-
Hossein Siadati
- Datadog
Hossein Siadati is a computer scientist and Sr Security Engineer at Datadog. He specializes in addressing software supply chain security, network security, user authentication and fraud issues using technical and social approaches. He holds a PhD from New York University, 2019, and has published several peer-reviewed papers in top security conferences including CCS, USENIX, and NDSS. Hossein is also a co-author of a security related book (Understanding Social Engineering Based Scams) and a reviewer of security journals. Hossein’s industry experience ranges from Agari (email security Startup acquired by HelpSystems), PayPal, Qualcomm, and Google. Hossein loves nature and is a recent fan of surfing!
Links:
Similar Presentations: