youtube image
From YouTube: SBOMs, VEX, and Kubernetes


Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

SBOMs, VEX, and Kubernetes - Kiran Kamity, Deepfactor; Jonathan Meadows, Citi; Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency; Andrew Martin, Control Plane; Rose Judge, VMware

Software supply chain security is rapidly becoming critical to overall security. Softwarew Bill of Materials (SBOMs) formats are standardizing around CycloneDX, SPDX, etc. VEX (vulnerability exploitability exchange) is emerging as a standardized companion to SBOMs to help determine whether a vulnerability is exploitable. For Kubernetes app developers, how do we address the supply chain problem? This panel discusses the practical and operational aspects of gathering, using, and handling SBOMs for containers: both running on Kubernetes and the underlying images that comprise Kubernetes itself. We will cover use cases from open source projects, through vendors and cloud providers, to the use of SBOMs in highly regulated environments including financial services and critical national infrastructure. Panelists include experts and practitioners with deep expertise in SBOMs, VEX, supply chain security, and cloud native application security.