Enhancing a Software Bill of Materials or Hardware Bill of Materials Leveraging Trusted Computing Group Standards and Principles

Joshua Schiffman is a Distinguished Technologist and Research Director at HP Inc., where he develops and promotes technology strategies for computer security, including trusted computing hardware, supply chain security, and device lifecycle management. He leads a team of researchers and developers, collaborates with industry standards organizations, and works with government and academic partners to enhance security research and development. Before this role, Joshua was a Senior Research Scientist at HP Labs, focusing on supply chain security and trusted endpoint architectures. He has also worked at AMD as a Security Architect and has research experience from internships at Microsoft, Samsung, and IBM.

Presentation Abstract

The increasingly threatening software supply chain landscape has never been more firmly in the spotlight. According to an Identity Theft Resource Center report, more than 10 million people were impacted by supply chain attacks in 2022, with IBM estimating that the cost of a data breach was $4.45 million globally last year. It is therefore vital that a Software Bill of Materials or Hardware Bill of Materials be present when organizations are building or buying software for critical infrastructure components.

The integration of Software Bill of Materials and Hardware Bill of Materials with Trusted Computing Groups Port Control Protocol, Firmware Integrity Measurement, and Reference Integrity Manifest technologies enhances the visibility and traceability of software and hardware components in the supply chain. Software Bill of Materials provide detailed inventories of all software components, libraries, and dependencies used in a software application, which is essential for identifying and managing security risks associated with these components. Hardware Bill of Materials, on the other hand, details the hardware components of a product, offering insights into supply chain risks and enabling the detection of counterfeit hardware.

This integration supports a comprehensive approach to supply chain security by ensuring that both software and hardware components are verified against trusted baselines established by Firmware Integrity Measurement and Reference Integrity Manifest. By leveraging Software Bill of Materials and Hardware Bill of Materials, organizations can more effectively identify vulnerable systems, detect suspicious or counterfeit components, and respond promptly to new vulnerabilities. Furthermore, the adoption of standardized formats for Software Bill of Materials, such as Software Package Data Exchange and CycloneDX, facilitates interoperability and reduces duplication of effort across different sectors.

Dr. Diganta Das

For more information or questions regarding the technical program (including Professional Development Courses), contact the Conference Chair, Dr. Diganta Das.

Karlie Severinson

For more information or questions regarding event logistics, exhibitions, and sponsorship, contact Karlie Severinson.