search menu icon-carat-right cmu-wordmark

SPDX SBOMs: Enabling Automation of Safety & Security Analysis

This session was presented by Kate Stewart of The Linux Foundation at DevSecOps Days Pittsburgh, held virtually May 11, 2023.

Software Engineering Institute

Topic or Tag



When building systems with safety-critical considerations, having a detailed and accurate record of all the requirements, components, tests, and configuration information is essential for safety analysis. When a component-vulnerability fix comes in, though, how do you know that the system conforms with the safety claims after you apply the fix? This talk will discuss how you can leverage the Software Package Data Exchange (SPDX) software bill of materials (SBOM) data to improve the system’s automation, and make you confident that the necessary re-testing and analysis will satisfy the safety profile.