Software Bill of Materials (SBOMs) have emerged as a critical component of software supply chain security, promising transparency about the dependencies in our applications. But are they delivering on that promise? While SBOMs provide a snapshot of the components included in software, they often fail to address a vital piece of the puzzle: the tools, libraries, and configurations actually used to build it.

In this talk, we’ll explore the varying degrees of SBOM quality and expose the gaps that can undermine their utility. By understanding what SBOMs are—and what they aren’t—we’ll uncover the risks of relying on incomplete or inaccurate data and discuss complementary strategies for achieving a truly transparent and secure build process. Attendees will leave with a deeper appreciation of how SBOMs fit into the broader supply chain security landscape and actionable insights for bridging the gaps.

Who should attend: Developers, security professionals, and DevOps practitioners looking to enhance software supply chain security beyond the baseline provided by SBOMs.

Resources

The following resources were mentioned during the presentation or are useful additional information.

• SBOM / Software supply chain
  
• World's greatest pancake recipe (use real maple syrup)
  
• CycloneDX
  
• SPDX
  
• xkcd - standards
  
• syft
  
• SLSA
  
• paketo - build packs - SBOM
  
• XZ Utils Backdoor
  
• SpotBugs token leak
  
• in-toto (attestations)
  
• JReleaser attestations example
  
• Dice Parser (Java & Kotlin)
  
• Free Build Scan Service
  
• The Developer Productivity Engineering (DPE) Handbook
  
• Gradle is Hiring