Session
Schedule FOSDEM 2022
Software composition and dependency management

Operationalize SBOM with OWASP Dependency-Track

D.dependency
Steve Springett
<p>Dependency-Track is an intelligent Component Analysis platform that allows organizations to operationalize the use of CycloneDX Software Bill of Materials (SBOM). The platform allows organizations to quickly identify and reduce risk in the software supply chain and is ideal for use in modern DevSecOps environments, procurement, and M&amp;A.</p> <p>Discover the benefits of leveraging OWASP CycloneDX Software Bill of Materials along with OWASP Dependency-Track.</p>
Dependency-Track maintains accurate and complete inventory of all libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services across an organization. The platform provides full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT. Dependency-Track can quickly identify vulnerable components and supports multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, GitHub Advisories, and VulnDB from Risk Based Security. The platform has a flexible policy engine and identifies security, operational, and license risk across development teams, suppliers, and partners in the supply chain.

Additional information

Type devroom

More sessions

2/6/22
Software composition and dependency management
D.dependency
<p>The devroom intro by devroom organization team!</p>
2/6/22
Software composition and dependency management
Philippe Ombredanne
D.dependency
<p>Package URLs are a compact way to identify software packages across multiple ecosystems. Together with the new "vers" Version Range Specifier, these two mini specs will offer a new way to create new, mostly universal dependency resolvers and installers, working across ecosystems.</p>
2/6/22
Software composition and dependency management
Ana Jimenez Santamaria
D.dependency
<p>Legal Risk Mitigation is one of the three main functions of an <a href="https://github.com/todogroup/ospodefinition.org">OSPO</a> (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:</p> <ul> <li>Maintaining open source license compliance reviews and oversight</li> ...
2/6/22
Software composition and dependency management
Pierre Marty
D.dependency
<p>This talk aims at presenting our trials and tribulations as well as our achievements in designing a compliance software project for open source licenses.</p> <p><em>"Are all module licenses in our software project compliant with each other ?"</em> Many of our customers have asked us this question even though they already had a plethora of software solutions (not always FOSS software) dealing with this topic. This surprised us, and led us to seek out the cause of their uncertainty. We then ...
2/6/22
Software composition and dependency management
Kouki Hama
D.dependency
<p>The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.</p>
2/6/22
Software composition and dependency management
Maximilian Huber
D.dependency
<p>Granted that software composition and dependency processing are very relevant for software engineering. The presentations have pointed out how such processing is embedded into activities of an organization. We would like to gather feedback about how the current status of adoption and integration looks like.</p>
2/6/22
Software composition and dependency management
D.dependency
<p>break</p>