Open Source Summit Europe 2023

The industry has been talking for years now about Software Bill of Materials (SBOM) and how they can help resolve security and legal issues in the software supply chain. Yet as the SBOM horizon expands in scope and sophistication, we find ourselves asking: what about SBOMs for services? The truth is that bringing transparency to services via SaaSBOMs is notably more complex. On one side, we have the service itself, depending on one or more other services. Each of them has a different subscription model, transport protocols, geo location and a wide variety of risk factors with no national vulnerability database for services yet created. But that’s not all! We also have the data that flows through a service, which also goes through a variety of known and unknown additional services, regulations, access controls and so on. Can such metadata be known and structured into a cohesive SaaSBOM? How should that information be exchanged in a producer-consumer chain while protecting privacy and intellectual property? Together with the CISA Service Transparency and the SPDX SaaS Profile groups we’ve been working to answer these questions. In this talk we’ll bring visibility into the ongoing efforts around SaaSBOMs, how we approach complexities around generating them, and what’s coming next.