►
Description
Can SBOMs Everywhere Work in Japan? - Takuya Yoshikawa, Cybozu
A
Hello
I'm
Takia
yoska
from
cyborgs
in
this
talk
I
want
to
explain
what
we
need
to
consider
to
make
as
bombs
everywhere
work
in
Japan,
especially
for
cloud
service
providers
like
us.
Those
bonds
are
not
so
widely
used
yet,
except
for
a
few
Industries
in
Japan.
I
hope
this
talk
will
help
us
move
forward.
A
So
let
me
introduce
a
bit
about
cyborgs:
we
are
a
cloud
service
provider
in
Japan,
enhancing
teamwork
and
increasing
productivity
to
our
products.
We
are
also
contributing
to
OSS
communities,
not
just
using
OSS
but
developing
feed
OSS
communities
and
we
sometimes
open
source.
Our
products,
for
example,
Moco
and
top
oil
VM,
are
getting
used
in
kubernetes
communities.
A
A
The
basic
concept
is
clear
and
understandable:
standardized
formats
will
be
useful
and
with
s
bonds
we
can
describe
software
dependencies
better,
but
the
spawn
usage
is
still
varies
between
Industries
for
some
who
are
sourcing
their
development,
it
may
just
it
may
be
just
a
matter
of
getting
the
software
list
in
response
format,
but
for
us
who
is
not
Outsourcing,
it's
it's
not
clear
with
whom
response
will
be
shared
and
for
what
it
will
be
used
so
to
move
forward.
The
benefits
of
response
needs
to
be
much
clearer.
A
B
Yeah
no
I
know
we
said
compressed
the
amount
of
time
together.
But
if
you
don't
mind,
maybe
I
could
ask
a
few
questions,
because
s-bombs
of
course
stand
for
software
bill
of
materials
right
and
one
reason
why
this
is
important
in
security
I
like
to
use
the
example
of
you
know.
B
When
you
look
at
a
bottle
of
ketchup,
you
can
see
the
ingredients
on
the
bottle
of
ketchup,
and
this
is
important
not
just
because
you
might
want
to
know
what's
inside
the
bottle,
but
for
security,
because
my
my
wife
is
allergic
to
paprika
and
but
in
paprika
is
a
very
common
ingredient.
Now
in
so
many
different
processed
and
prepared
foods
as
like
a
food
coloring
and
so
having
the
label
that
explains.
What's
inside
the
ketchup
bottle,
you
know
and
mentions
paprika.
B
B
It
makes
it
faster
to
find
when
you're,
using
something
that's
vulnerable,
even
if
it
would
otherwise
be
very
difficult
to
scan
or
or
that
sort
of
thing
and
software
bill
of
materials
can
describe
not
just
what's
inside,
but
we
can
start
to
use
it
to
describe
limits
or
characteristics
or
other
metadata
around
around
these.
These
objects
right.
So
what
what
do
you
see,
perhaps
as
one
of
the
biggest
challenges
to
adoption
of
software,
build
materials
in
in
Japan.
A
Hands
on
Industries
and
for
us
we
are
now
actually
preparing
for
Bankers
bonds,
but
two
points
we
need
to
make
a
sponge
is
not
so
clear
because
in
the
involved
we
are
now
developing
many
many
good
tools,
but
when
we
can
use
such
tools
is
not
so
clear,
so
yeah
now
slowly
preparing
response
and
I'm,
not
sure
it's
enough,
so
we
maybe
need
to
speed
up,
but
it's
not
so
clear.
So
the
whole
schedule
should
be
more
open
and
shared
in
about
I.
Think.
B
Now
the
openssf
has
been
funding
work
in
the
software
of
Miller
materials
area.
We've
been
spending
some
money
to
improve
libraries
written
in
Python
to
support
the
spdx
standard.
I
know
there's
two
major
standards
in
s-bombs,
spdx
and
Cyclone
DX,
and
they
have
some
big
differences
and
we're
working
to
try
to
get
them
to
play
nicely
with
each
other.
B
But
but
we've
been
investing
to
try
to
help
get
s-bomb
generation
tools
built
into
other
software
development
tools
by
funding
these
libraries
and
I
think
that's
one
way
that
we
get
more
s-bombs
everywhere
is
by
making
it
the
default
in
developer
tools.
But
another
big
component
has
been
government
support
and
in
the
United
States,
for
example,
the
US
government
has
started
to
say.
Maybe
we
will
start
to
require
s-bombs
as
part
of
our
as
when
the
government
buys
software.
They
are
starting
to
require
the
vendor
to
sell
that
they
may
are.
B
They
are
also
looking
at
certain
industries
like
healthcare
like
when
you
get
a
healthcare
device.
You
know
requiring
s-bombs
to
be
a
part
of
that
I
know.
The
Japanese
government
is
very
interested
in
this
as
well.
Have
you
followed
at
all
what
the
Japanese
government
is
doing
in
terms
of
s-bomb,
okay,
okay,
there
was
a
very
thoughtful
and
very
comprehensive
strategy
put
together
by
metti
m-e-t-I.
That
I
would
encourage
you
all
to
go.
Look
at.
B
We
put
up
some
video
from
a
software
security
Summit
from
Japan
from
back
in
July,
with
a
presentation
from
and
I'm
blanking
on,
his
name
but
representative
from
Etsy
presenting
on
their
strategy.
So
it's
very
thoughtful
and
my
hope
is
that
it
could
lead
to
a
Japanese
industry
adopting
it
as
well.
Finally,
I'll
ask:
do
you
think
there's
any
Industries
in
Japan
that
might
prioritize
s-bomb,
especially
perhaps
Automotive
or
or
one
of
the
others.
A
I
don't
know
well
about
the
industries,
but
I'm
mainly
interested
in
my
industry
cloud
service
providers
and
for
us
it's
not
so
clear
what
Matty
is
forcing
us
to
do,
and
so
in
my
talk,
I
said
that
if
they
forces
us
to
use
response
for
isms
or
it's
not
such
kind
of
security
assessment
programs,
then
our
goal
is
much
more
clearer.
I
think
so,
but
that
kind
of
fun
needs
to
be
open
and
shared
yeah
yeah.
B
Great
well,
that
was
the
last
last
presentation
for
today.
Once
again,
thank
you,
Mr
yoshiwara,
for
your
presentation.