Learn from Log4Shell: Using SBOMs for Zero-Day Preparadness

Think back to December 2021, when Log4Shell was disclosed. How did you respond? You can’t start patching until you determine what needs to be patched. How long did you spend combing through your software repos to determine your exposure?

What if you could have gotten an accurate assessment in minutes instead of days?

The havoc that will ensue from the next Log4Shell-like zero-day event can be considerably reduced with some simple proactive measures in the SDLC. Generating a Software Bill of Materials (SBOM) gives you deep visibility into your software and allows you to evaluate that software much more rapidly than before.

In this presentation, Paul Novarese will introduce SBOMs and explore the landscape of open source tools for generating them. Attendees will learn about the usefulness of SBOMs both for responding to zero-day situations like Log4Shell and for more run-of-the-mill vulnerability scanning (increasing both speed and accuracy). We will tie it all together with some practical techniques to automate creation and evaluation in CICD pipelines, increasing overall software supply chain security (increased speed and accuracy enables us to detect problems sooner and fix problems faster with fewer production disruptions).



Paul Novarese

Paul Novarese is a Senior Solutions Engineer with Anchore. He has been working in open source software for over 25 years at companies like HP, Red Hat, and Docker, with a background in enterprise ...