Our Journey, from SBOM to ASSBOMB

This talk is about the nasty corner cases in generating an SBOM. A noble and justified demand, by both customers as well as regulators alike, but with so many more obstacles than initially expected. We were naive. We thought “how hard can it be to list all software components in a product?”.

With increasing regulatory demand i.e., the cyber resilience act, we would like to share some of the observations we made. Some of the challenges we encountered will seem familiar to people working on the subject, some may be completely new for you. They will cover legacy software, how naming things can be hard, technical debt, issues with the NIST CVE data enrichment (or lack thereof), and more.

Spoiler: AI won’t help you here.

ASSBOMB is the automotive security & software bill of material.