2025-04-13 –, Track 1
In my 3rd week working for a Fortune 500 company, I was tasked with designing and rolling out a programme to churn out software bills of material for our high inherent risk products. 5 months later, we're on the right side of the forthcoming supply chain security regulatory and compliance world. It wasn't easy, but it was sure worth the effort. I even made some friends along the way.
Software bills of material (SBOM) will be required by the EU in 2026 in order to sell and distribute hardware and software for critifcal infrastructure, per the Cyber Resilience Act. Pursuant to this, my organisation built a SBOM programme from the ground up. I will describe the process from start to finish. Each sprint in the roll-out offered a new lesson learned, and armed us with best practices for CI/CD pipeline automation, open source dependency research, vulnerability analysis, and making SBOMs out of many myriad coding languages, code repositories, operating systems, and release tempos. The main takeaway of each challenge we met is simple - security and development can get along and make magick happen, but it all requires buy in. I will also highlight the best practices we documented in the SBOM standard ops procedure, and how those lessons informed other big endeavors like CISA's Secure by Design pledge, product security threat intelligence, and secure coding.
Grey Fox is a U.S. military veteran with over 20 years of intelligence and cybersecurity experience, specializing in offensive cyberspace operations, digital network intelligence, and software defined radio instruction. He has presented at DEF CON and B-Sides, and has earned CISSP, GCTI, GPEN, GASF, GAWN, GMOB, CySA+, and CWNA.