Hello SPDX Team,
The November General Meeting is happening this Thursday, November 2nd. We’ve got a great presentation planned from Hasan Yasar, Technical Director of the Continuous Deployment of Capability group at the Software Engineering Institute, CMU: Actionable SBOM lifecycle with DevSecOps practices The emergence of SBOM has become a crucial topic in the realm of software development, especially concerning the exchange of information about the components constituting the software we use daily. With the signing of Executive Order 14028 in 2021, companies aiming to offer software or services to the federal government are now mandated to provide details about the security of their offerings. This requirement encompasses providing a Software Bill of Materials that delineates the software's composition, a seemingly simple concept but one that raises numerous operational questions in practice. Challenges include ensuring the integrity of interdependent files during both build and runtime, as well as continuous monitoring for vulnerabilities within these files. However, SBOM represents a dynamic process that spans the Software Development Life Cycle (SDLC). In this context, our discussion will feature a live demonstration of a software supply chain pipeline based on real-world experiences. We will explore how to manage Software Bill of Materials from both the producer's and consumer's perspectives, offering practical insights on how to tackle the fundamental question: "What do we do with these documents?" Hasan Yasar: Hasan Yasar is the Technical Director of the Continuous Deployment of Capability group at the Software Engineering Institute, CMU. Hasan leads an engineering group to enable, accelerate and assure Transformation at the speed of relevance by leveraging, DevSecOps, Agile, Lean AI/ML, and other emerging technologies to create a Smart and secure Software Platform/Pipeline. Hasan has more than 25 years of experience as a senior security engineer, software engineer, software architect, and manager in all phases of secure software development and information modeling processes. He is also a Teaching Professor at CMU’s Heinz College and Software and Societal Systems<https://s3d.cmu.edu/index.html> College where he currently teaches “Software and Security” and “DevOps for Engineering Secure Development and Deployment”. Hasan also serves various IEEE/ISO, The Open Group, and NIST standard developments. He recently co-authored IEEE 2675 DevOps standard, while working on IEEE 828 Configuration Management, IEEE 982.1 Software Reliability, ISO Wkg 29 Agile, and DevOps standard development. Meeting Time: Thursday, November 2nd, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=> Conf call dial-in: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$> To join by phone instead, tap this: +1.512.647.1431,,1310118349#<tel:+15126471431,1310118349> Looking for a different dial-in number? See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2Fstatic*2FdialInInfo.html*3Froom*3DSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw0CFb1socSljscXVhl5wU_R__;JSUlJSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BhDXVXvs$> If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting*23config.startSilent*3Dtrue&sa=D&ust=1619537013292000&usg=AOvVaw0KXqpP-XHq4V1GzN9CrPgS__;JSUlJSUl!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41B0qALsVU$> Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes Meeting Agenda: Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/pull/493 Special Presentation - "Actionable SBOM lifecycle with DevSecOps practices” from Hasan Yasar Technical Team Report – Kate/Gary/Others * Overview * Specification and Profiles * Core & Software * Security * Licensing * Build * Lite * AI * Dataset * Functional Safety * Canonicalization/Serialization * Software as a Service * Hardware * Tooling + Implementers Legal Team Report – Jilayne/Steve Outreach/Website Team Report – Alexios/Bob General Announcements -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1793): https://lists.spdx.org/g/spdx/message/1793 Mute This Topic: https://lists.spdx.org/mt/102303608/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
