SERG talk: SBOM vs. SBOM: Why can the same app have two different SBOMs

Following a quick introduction of SBOMs, Henrik will present the results of a case-study that comprised running three SBOM generators at different times of the software development lifecycle. The results show that the quality/accuracy of generated SBOMs greatly varies from one tool and one lifecycle phase to another, and are hardly comparable across SBOM.

About Henrik

Henrik Plate is a security researcher working with Endor Labs, aiming to improve the security of today’s software supply chains, and in particular the secure consumption of open source. He formerly worked for SAP Security Research, where he led the focus topic ‘open source security’ starting in 2014. He co-authored several academic papers on this topic, presented at academic and industry conferences like the RSA, is the project lead and core-developer of Eclipse Steady (an open source solution using program analysis techniques to assess the exploitability of vulnerabilities), and contributes to the Risk Explorer for Software Supply Chains (an open source solution to understand supply chain threats and safeguards). He also worked on security policies, leading a 3y public-funded collaborative research project as technical and scientific coordinator, participated in M&A technical due diligence, created and rolled-out company-wide secure development trainings, and participated in product security assessments. He received his MSc in Computer Science and Business Administration in 1999 from the University of Mannheim, Germany, and holds a CISSP certification.