SBOMs in the Automotive Industry Real World Insights and Recommendations
A heightened global focus on software supply chain security — plus a range of emerging industry regulations — have made SBOMs (software bill of materials) an increasingly important initiative for automotive suppliers and manufacturers.
Of course, the scope of SBOM programs often varies by an organization’s role in the automotive ecosystem.
This presentation (“SBOMs in the Automotive Industry: Real-World Insights and Recommendations”) will focus on three distinct parts of the SBOM lifecycle I've observed from my work supporting automotive industry clients. I'll provide an overview of each part of the lifecycle, plus actionable guidance for improving results.
The three scenarios are as followers:
1. SBOM distribution and generation: Based on our experiences, most organizations across the automotive software supply chain — manufacturers along with all tiers of suppliers — are in a position to need at least basic SBOM generation capabilities.
2. SBOM ingestion and aggregation: While Tier 2 suppliers may not be concerned about ingesting and combining SBOMs from external teams, automotive manufacturers (and many Tier 1 suppliers) very much are.
3. SBOMs as a vehicle for continuous monitoring and vulnerability management: Similar to ingestion and aggregation, automotive suppliers without extensive supplier networks of their own may not be focused on using SBOMs to achieve vulnerability management objectives. But manufacturers and more interconnected suppliers often are.
Each section of this talk — which is based on extensive firsthand experience directly supporting automotive manufacturers along with Tier 1 and 2 suppliers — will include specific guidance to help attendees understand how SBOM programs within their organizations can more effectively manage these parts of the SBOM lifecycle.
About the Speaker:
Cortez Frazier Jr. is a Principal Product Manager at FOSSA. He leads development for the company’s SBOM (software bill of materials) and vulnerability management solutions. Before joining FOSSA, Cortez served as product lead for all of Puppet’s SaaS-based products, primarily within the CSPM (Cloud Security Posture Management) domain. Earlier, Cortez worked as a Senior Cybersecurity Architect for GE Power, where he was responsible for around 1,800 developers and 600 applications. In his free time, Cortez participates in local Atlanta AppSec meetups while being an avid gamer and stoicism enthusiast.