[00:00.000 --> 00:11.080]  So we start with a pretty tight schedule, so thank you everyone for being here and being
[00:11.080 --> 00:12.080]  on time.
[00:12.080 --> 00:17.040]  So respect your time, we're not completely sure we've got the AV all set up for the remote
[00:17.040 --> 00:21.520]  stream but for those here in the room we'll start it off and post slides.
[00:21.520 --> 00:27.840]  A bit of housekeeping I guess, we've got like I say a very full schedule between today and
[00:27.840 --> 00:31.560]  tomorrow, today just today.
[00:31.560 --> 00:36.800]  Tomorrow's the flight but anyhow.
[00:36.800 --> 00:41.200]  So Alexis you want to walk us quickly through it and then tell us the rest of the housekeeping
[00:41.200 --> 00:46.120]  stuff and then I'll talk, give an overview of the S-bomb stuff real quick.
[00:46.120 --> 00:49.120]  Right, okay.
[00:49.120 --> 00:57.280]  So first of all for us, for the strange people who do not know us, this is Kate the Magnificent,
[00:57.280 --> 01:04.240]  Adolfo the Great is somewhere, yeah trying to find AV solutions and I'm Alexis.
[01:04.240 --> 01:10.960]  In the program that you have seen, we did not do a nice job like other dev rooms and
[01:10.960 --> 01:17.560]  it would not leave any time between the end of the one talk and start of the other.
[01:17.560 --> 01:21.960]  Therefore if you're speaking, imagine that you've got five minutes stripped off of the
[01:21.960 --> 01:29.360]  plan because we're going to finish early and switch laptops and bring the next period
[01:29.360 --> 01:32.440]  of the room.
[01:32.440 --> 01:50.160]  So as you've seen we have lots of talks all about S-bombs, right, okay, so we have lots
[01:50.160 --> 01:59.240]  of things about S-bombs, we try to group the presentations according to a couple of themes
[01:59.240 --> 02:09.840]  and so we'll be starting with more tools that are working on S-bombs, then we're going
[02:09.840 --> 02:16.600]  to be discussing what information goes into S-bombs and then we're going to have more
[02:16.600 --> 02:19.680]  general discussions about S-bombs.
[02:19.680 --> 02:26.800]  There are two, we had interesting changes in the schedule according to travel plans
[02:26.800 --> 02:34.520]  for different people, so we have two discussions or panels or whatever you want to call them.
[02:34.520 --> 02:41.840]  One is on discussion on S-bomb contents, right, where we expect people to contribute, right,
[02:41.840 --> 02:49.080]  and the other end is the larger panel discussion about, well should it be content there, useful
[02:49.080 --> 02:57.160]  to send caveats of S-bombs in general, right, and then we also have another time slot for
[02:57.160 --> 03:03.680]  everyone to ask questions about S-bombs because this is something completely new and that's
[03:03.680 --> 03:10.880]  about it and I'll give it to Kate to explain what is B-bombs is.
[03:10.880 --> 03:15.680]  The other thing too is as we are moving through the day, if more people are coming in you
[03:15.680 --> 03:20.400]  may be getting asked to move that way so that as people come in they can get seated and
[03:20.400 --> 03:24.560]  so you'll see myself, one of us, basically we start to see pressure of too many people
[03:24.560 --> 03:29.640]  standing in the back of the walls, go at some point in time quietly during the meetings,
[03:29.640 --> 03:31.440]  so I think that's it, but-
[03:31.440 --> 03:37.760]  Last the room has a corridor at the end after this, so you don't need to cross over.
[03:37.760 --> 03:44.400]  Okay, so quick show of hands, how many people have started working with S-bombs already?
[03:44.760 --> 03:50.000]  Okay, pretty good, I see one or two not up, so I'm going to just sort of say the common
[03:50.000 --> 03:55.640]  understanding that's emerged of what an S-bomb is, is the relationships between components
[03:55.640 --> 04:03.840]  used in building software and these are like libraries, modules, open source or proprietary,
[04:03.840 --> 04:08.920]  widely available or restricted, all of these are valid use cases today and we have to,
[04:08.920 --> 04:12.360]  because we have to work fully ecosystem and improve transparency, we need to be inclusive
[04:12.360 --> 04:14.440]  of all of them.
[04:14.440 --> 04:19.320]  This is a definition that's sort of been worked up in the industry through various meetings
[04:19.320 --> 04:25.200]  and there's been European participation as well as North American and Japanese, so we're
[04:25.200 --> 04:26.520]  trying to get this.
[04:26.520 --> 04:31.520]  There was a document published last year, actually it was a year before, saying what
[04:31.520 --> 04:36.640]  the minimum elements are and the minimum elements are a supplier component name, version of
[04:36.640 --> 04:41.760]  the component, some other unique identifier, dependency relationships, authors of the data
[04:41.840 --> 04:48.840]  and timestamp, that is pretty much all that it's asked for for the minimum, now anyone
[04:48.840 --> 04:53.680]  who's working with this stuff is not sufficient, so there are a couple of formats that are
[04:53.680 --> 04:59.880]  already recognized as supporting this minimum, SPDX and Cyclone DX are on that list as well
[04:59.880 --> 05:06.120]  as SWID and so we have a definition set of the fields from that record things and we're
[05:06.160 --> 05:13.160]  trying to line up with that in the various formats and then possibly do a lot more.
[05:13.560 --> 05:19.840]  Most of us here are in the SPDX community and it is able to extend beyond that minimum
[05:19.840 --> 05:24.840]  and we are an international standard and have gone through the effort of becoming an international
[05:24.840 --> 05:30.120]  standard, so you'll be hearing probably a little bit more SPDX than the other one but
[05:30.120 --> 05:34.960]  there are other people working on Cyclone DX who will be here today too.
[05:34.960 --> 05:40.240]  The context though is an S-bomb by that minimum definition can apply pretty much anywhere in
[05:40.240 --> 05:47.240]  the software like Cycle and we were finding a lot of people talking past each other and
[05:47.920 --> 05:51.600]  so one of the things that's been working on in a group for the last six months is coming
[05:51.600 --> 05:56.560]  up with a common set of definitions about the types of S-bombs and they sort of relate
[05:56.560 --> 06:01.520]  a little bit to where the things are in the design phase but not completely but the common
[06:01.560 --> 06:08.000]  ones that we see out there in the industry right now are the source ones and the build
[06:08.000 --> 06:11.680]  and the build is where we're getting a lot of information for the security folks. The
[06:11.680 --> 06:14.920]  analyze is when you have a tool that basically gives you a binary and tries to figure out
[06:14.920 --> 06:20.800]  what's in it. The deployed is you've got things that you're putting on a system with configuration
[06:20.800 --> 06:24.360]  information and you want to know that and then runtime is what might be running on your
[06:24.360 --> 06:29.360]  system. You can generate S-bombs for all these sets that fit the minimum definition and so
[06:29.440 --> 06:33.840]  one of the things I'm going to be asking the speakers to do is as they are talking through
[06:33.840 --> 06:38.480]  their slides and everything else if they could say what type of S-bombs they're talking about
[06:38.480 --> 06:42.680]  so that people can get it clear in their head how these tools work with different types
[06:42.680 --> 06:46.240]  of data and with that I will turn it over to our first speaker.