2025-06-18 –, Main stage
Understanding what is inside an application is critical for effective vulnerability management and risk assessment. By identifying the components within the application, you can identify and address potential vulnerabilities more effectively and assess the overall security posture of the application. But if the source code is not available or identifiable, then that is more of a challenge.
This talk will describe my work in extracting relevant information from an ELF binary in order to create a SBOM from an application within a deployed environment.
This talk will describe my work in extracting relevant information from an ELF binary in order to create a SBOM from an application within a deployed environment. It can identify features such as the dynamic libraries and the functions used within each dynamic library. It will also show that once the information has been extracted it can be combined with data produced by SBOM generators for deployed applications such as distro2sbom to create a more enriched SBOM.
With regulations such as the EU Cyber Resilience Act (CRA) requiring applications to monitor and remediate, as necessary, vulnerabilities in the constituent components of an application, it is essential that an accurate inventory of the components within an application can be identified.
Some of this work has been funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.
Anthony Harrison has been developing and delivering mission-critical applications for over 40 years working on various complex programs where he held various roles in software, systems and cyber engineering, as well as providing technical leadership for a number of programmes.
He is the Founder and Director of APH10, and co-founder of SBOM Europe, and is a leading source of expertise in Software Bill of Materials (SBOM). He has been developing open source software actively for a number of years; most recently, the applications have been related to supporting the software supply chain through utilities to generate and analyse software bills of materials (SBOMs).
He has been a mentor for the Google Summer of Code for the past four years via the Python Software Foundation and is a mentor for his local CoderDojo in Manchester teaching students Python.