Loading…
June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
← Back to schedule
Trust but Verify: Uncovering the Hidden Risks of Inaccurate SBOMs With JBomAudit - Yue Xiao & Dhilung Kirat, IBM Research
Wednesday June 25, 2025 4:20pm - 5:00pm MDT
Bluebird Ballroom 3G
Additional Authors: Jiyong Jang & Douglas Schales, IBM Research

Software supply chain attacks have surged in recent years, posing significant threats to organizations. In response, Software Bill of Materials (SBOMs)—structured inventories that document software components—have been proposed to enhance supply chain transparency, track dependencies, and manage vulnerabilities. Despite increasing adoption, their correctness and completeness in real-world open-source ecosystems remain largely unexamined. Incomplete SBOMs can result in overlooked vulnerabilities while incorrect dependency may waste resources on non-existent issues.

This talk introduces JBomAudit, an open-source tool to automatically verify Java SBOMs by systematically assessing their correctness and completeness against NTIA minimum requirements. We will cover technical details of JBomAudit, demonstrate how it examines missing and incorrect dependencies, and present findings from our large-scale analysis of over 25,000 Java SBOMs, highlighting the prevalence of non-compliant SBOMs and security implications. We will also discuss common pitfalls in SBOM generation, analyze the root causes of non-compliance, and provide actionable recommendations to improve SBOM quality.
Speakers
avatar for Dhilung Kirat

Dhilung Kirat

Senior Research Scientist, IBM Research
Dhilung Kirat is a Research Scientist in the AI Supply Chain Security group of the Security Research department at IBM T.J. Watson Research Center. Dhilung received his PhD in Computer Science from University of California, Santa Barbara in 2015. His research interests revolve around... Read More →
avatar for Yue Xiao

Yue Xiao

Research Scientist, IBM Research
Dr. Yue Xiao is a Research Scientist at IBM Watson Research. She earned her Ph.D. from Indiana University Bloomington, focusing on GenAI security, privacy compliance, vulnerability assessment, and supply chain security. She has published in top venues (CCS, Usenix Security, NDSS... Read More →
Wednesday June 25, 2025 4:20pm - 5:00pm MDT
Bluebird Ballroom 3G
  OpenGovCon
  • Audience Experience Level Any

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend !
Explore why organizers choose Sched Success stories
Sched forms Call for papers Badges Conferences Event App Scheduling Event registration Event ticketing
© 2025. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning App Privacy Terms
Share Modal

Share this link via

Or copy link