Loading…
June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
← Back to schedule
Enhancing SBOM Generation: Filling the Gaps To Make Actionable SBOMs - Ian Dunbar-Hall, Lockheed Martin & Gary O'Neall, Source Auditor Inc.
Monday June 23, 2025 4:30pm - 5:10pm MDT
Bluebird Ballroom 3F
Most developers generating SBOMs use a tool like Syft or Trivy and yell “SHIP IT!” While this might generate an NTIA Minimum Field adherent SBOM, it often lacks information that truly makes it actionable for downstream users.

This talk covers the work of a CISA SBOM Community Tiger Team who created SBOM Generation Reference Implementations for multiple languages and scenarios. We will discuss the distinct phases of SBOM generation and highlighting how each step contributes to a more robust and actionable SBOM. By expanding the SBOM authoring process, organizations can better integrate multiple data sources, enhance metadata accuracy, and customize their workflows to align with evolving security frameworks. This approach enables tool interchangeability while maintaining data integrity and transparency.

Additionally, we will explore implementations, including the integration of SBOM generation into CI/CD pipelines using GitHub and GitLab, supporting multiple programming languages, and ensuring interoperability with both CycloneDX and SPDX formats. We will also discuss ecosystem challenges such as supplier identification, license consistency, and benchmarking completeness.
Speakers
avatar for Ian Dunbar-Hall

Ian Dunbar-Hall

Open Source Program Office, Lockheed Martin
Ian is a holds the position of Chief Engineer for Lockheed Martin Software Factory and specializes in DevSecOps and full stack engineering. Additionally he is a maintainer on SBOMit and an OpenSSF Governing Board General Member Representative.
avatar for Gary O'Neall

Gary O'Neall

Founder and Principal Consultant, Source Auditor Inc.
Gary is a contributor to the Software Package Data Exchange® (SPDX™) - an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools.Gary O’Neall is... Read More →
Monday June 23, 2025 4:30pm - 5:10pm MDT
Bluebird Ballroom 3F
  OpenGovCon

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Share Modal

Share this link via

Or copy link