The Software Bill of Materials (SBOM) has frequently been cited as a crucial component in securing the software supply chain. Its value proposition is the ability to answer critical questions such as, "Am I vulnerable to CVE-XYZ?". In theory, SBOM should simplify risk assessment by prioritizing the remediation of vulnerable applications. However, when considering the software supply chain as a whole and the myriad potential threat vectors (https://slsa.dev/spec/v1.0/threats), it's clear that SBOM provides limited utility when securing end-2-end software delivery from producer to consumer.

How is an SBOM produced? How is it delivered? Does it bundle the artifacts it describes? Can you verify the provenance of the SBOM? These questions lead us to ask whether the SBOM has any real utility as a standalone entity.

In this session, we shall introduce the Open Component Model (OCM, https://ocm.software), an open standard and tooling that supports establishing a secure software supply chain, from producer to consumer. OCM's dedicated tooling packages security and compliance-relevant metadata, such as SBOMs, alongside the software artifacts. It includes support for signing operations, as well as secure transport of artifacts ensuring their integrity and provenance. Our session is ideal for those who find these questions intriguing and are eager to explore possible answers!