For a long time I was preaching the idea that an SBOM can and should essentially be split into 2 parts. The first part is static – that is the actual list of all software components with their fixed metadata (version, purl, hashes, etc). The second part is dynamic – that is things related to… Continue reading SBOM – Not So Static After All
Category: Security
Practical Guide to NTIA Compliant SBOM
In this post I will describe a specific example of how we can generate an SBOM compliant to NTIA minimum specification. I will go over existing tooling, real-world issues and how to work around them. I Problem Statement The document by NTIA outlining minimum SBOM elements was published in 2021. Still, it is a challenge… Continue reading Practical Guide to NTIA Compliant SBOM
SBOMs to xBOMs to Transparency
Here is a recording of my talk at OWASP Ottawa:
3 Dimensions of Versioning Problem
The versioning problem was significant part of my work for the last 6 years. During that time we wrote a versioning library used for automatic bump of versioning of various schemas. On several occasions I was doing talks and materials on versioning, including my blog post on combinatorial explosion and another one on minor component… Continue reading 3 Dimensions of Versioning Problem
Why We Chose CycloneDX Over SPDX
This is my second post in SBOM series where I would explain why we chose CycloneDX over SPDX for our projects. The first post was focusing on the need to have more than one bill of materials to describe any particular product. I Introduction If you search the web or ask ChatGPT about CycloneDX vs… Continue reading Why We Chose CycloneDX Over SPDX
Why a Single SBOM is Never Enough
As I become increasingly involved in SBOM generation and management, I plan to publish a series of posts exploring the current state of SBOMs, the key challenges, and how we at Reliza are addressing them. This is the first post in these series where I would like to discuss just how many SBOMs we actually… Continue reading Why a Single SBOM is Never Enough
Release Metadata Organization Model
Here I would like to describe a model on how we organize storage of release metadata for technology products. This methodology is a part of new Reliza’s project (to be announced soon). This may refer to both software or hardware or a mix of the two. I Problem Statement Various regulator requirements are either mandating… Continue reading Release Metadata Organization Model
Some Security Risks of Using Push-Based CD
Surprisingly I’m recently not finding a strong majority of voices saying that Push-Based Continuous Delivery should never be used due to security concerns. So I feel there is a need to clarify risks more explicitly. First of all here is what I mean by Push-Based CD. Simply, this is the approach, where SSH-key or some… Continue reading Some Security Risks of Using Push-Based CD
Storing Arbitrary Values in Java Keystore
Java Keystore is a nice tool, but it has a very limited number of inputs it supports natively. Mainly those are pem certificates and corresponding keys. Fortunately, there is a way to store arbitrary data using keytool’s -importpass command and base64 encoding. Here is how to achieve that. Let’s imagine we have some secret.bin file,… Continue reading Storing Arbitrary Values in Java Keystore
No good way to verify public image sha256 in docker hub – security concern
This is a little crazy but apparently we don’t have a good way to verify sha256 digests of public images in docker hub. Related thread is here: https://github.com/docker/hub-feedback/issues/1925 and also this stackoverflow is useful: https://stackoverflow.com/questions/57316115/get-manifest-of-a-public-docker-image-hosted-on-docker-hub-using-the-docker-regi . Problems in the nutshell: Publicly displayed digests on docker hub UI do not match those seen when pulling images… Continue reading No good way to verify public image sha256 in docker hub – security concern