Check out this presentation from Tony Turner where he describes BOM Based Threat Modeling.

The possibilities of this approach are quite powerful. Go beyond simple SBOMs and leverage the capabilities of CycloneDX.

#SBOM #SaaSBOM #HBOM #OBOM #OWASP

https://www.youtube.com/watch?v=4SjA1uEqH0s

Here's the deck I presented to the DoD CIO panel last week. The overwhelming majority of the deck are capabilities that only OWASP @CycloneDX BOM Standard supports. Going beyond simple #SBOM use cases and supporting #SaaSBOM, #HBOM, #OBOM, #VDR, and #VEX today, and in two months time will also be supporting #MLBOM, #MBOM, and bill of attestations. And let's not forget about #CBOM for inventory of cryptographic assets for analysis in a post-quantum world. Thanks to the many organizations and individuals contributing to the standard, the future is incredibly bright.

https://docs.google.com/presentation/d/1ixB79pj-CRneIyW5jAEF242MyQ0JLxqd3uT8LNQw8bE/edit