Loading…
June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
← Back to schedule
Trust but Verify: Uncovering the Hidden Risks of Inaccurate SBOMs With JBomAudit - Yue Xiao, Jiyong Jang, Douglas Schales & Dhilung Kirat, IBM Research
Wednesday June 25, 2025 4:20pm - 5:00pm MDT
Bluebird Ballroom 3G
Software supply chain attacks have surged in recent years, posing significant threats to organizations. In response, Software Bill of Materials (SBOMs)—structured inventories that document software components—have been proposed to enhance supply chain transparency, track dependencies, and manage vulnerabilities. Despite increasing adoption, their correctness and completeness in real-world open-source ecosystems remain largely unexamined. Incomplete SBOMs can result in overlooked vulnerabilities while incorrect dependency may waste resources on non-existent issues.

This talk introduces JBomAudit, an open-source tool to automatically verify Java SBOMs by systematically assessing their correctness and completeness against NTIA minimum requirements. We will cover technical details of JBomAudit, demonstrate how it examines missing and incorrect dependencies, and present findings from our large-scale analysis of over 25,000 Java SBOMs, highlighting the prevalence of non-compliant SBOMs and security implications. We will also discuss common pitfalls in SBOM generation, analyze the root causes of non-compliance, and provide actionable recommendations to improve SBOM quality.
Speakers
avatar for Douglas Schales

Douglas Schales

Senior Technical Staff Member, IBM
Doug Schales is a Senior Technical Staff Member at IBM Research. He has been involved in security research for over 30 years. His interests are in the areas of using generative AI for security, as well as the application of sketch and probabilistic algorithms in security.
avatar for Dhilung Kirat

Dhilung Kirat

Senior Research Scientist, IBM Research
Dhilung Kirat is a Research Scientist in the AI Supply Chain Security group of the Security Research department at IBM T.J. Watson Research Center. Dhilung received his PhD in Computer Science from University of California, Santa Barbara in 2015. His research interests revolve around... Read More →
avatar for Jiyong Jang

Jiyong Jang

Principal Research Scientist, IBM Research
Jiyong Jang is a Principal Research Scientist at IBM Research. His research interests include most areas of computer security, with an emphasis on software and network security. His current research focuses on security analytics to detect advanced threats in complex networking systems... Read More →
avatar for Yue Xiao

Yue Xiao

Research Scientist, IBM Research
Dr. Yue Xiao is a Research Scientist at IBM Watson Research. She earned her Ph.D. from Indiana University Bloomington, focusing on GenAI security, privacy compliance, vulnerability assessment, and supply chain security. She has published in top venues (CCS, Usenix Security, NDSS... Read More →
Wednesday June 25, 2025 4:20pm - 5:00pm MDT
Bluebird Ballroom 3G
  OpenGovCon
  • Audience Experience Level Any

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Share Modal

Share this link via

Or copy link