SBOM

A practical guide for implementing SBOM generation, artifact signing, and provenance tracking in enterprise environments, aligned with Executive Order 14028 requirements. Introduction Executive Order 14028 (May 2021) mandates that federal agencies and their software suppliers implement software supply chain security measures, including: Software Bill of Materials (SBOM) generation Artifact signing and provenance verification Secure software development practices The urgency of these requirements was underscored by high-profile supply chain attacks: SolarWinds (2020): Compromised build system affected 18,000+ organizations including federal agencies Log4Shell (2021): CVE-2021-44228 exposed the challenge of identifying affected components across enterprise software portfolios Codecov (2021): CI/CD pipeline compromise demonstrated supply chain attack vectors This article provides a hands-on implementation guide based on real-world enterprise deployments in healthcare, financial services, and telecommunications sectors. ...

Introduction The financial sector is a prime target for cyberattacks, and software supply chain security became a critical concern following incidents like SolarWinds. Ensuring the integrity and provenance of the software we use and deliver is fundamental. My experience at major financial institutions like Serasa Experian and Banco Bradesco provided insights into how DevSecOps practices, specifically Software Bill of Materials (SBOM) Generation and Artifact Signing, are crucial for building a more resilient software supply chain. ...