{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:09:24Z","timestamp":1750219764906,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":40,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3565384.3565889","type":"proceedings-article","created":{"date-parts":[[2022,11,18]],"date-time":"2022-11-18T18:03:53Z","timestamp":1668794633000},"page":"7-12","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Engram"],"prefix":"10.1145","author":[{"given":"Shripad","family":"Nadgowda","sequence":"first","affiliation":[{"name":"Intel Corp."}]}],"member":"320","published-online":{"date-parts":[[2022,11,18]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Cli for generating sbom. https:\/\/github.com\/anchore\/syft.  Cli for generating sbom. https:\/\/github.com\/anchore\/syft."},{"key":"e_1_3_2_1_2_1","unstructured":"Modern security tools. https:\/\/github.com\/tap8stry.  Modern security tools. https:\/\/github.com\/tap8stry."},{"key":"e_1_3_2_1_3_1","unstructured":"A pluggable framework for supply chain security. https:\/\/github.com\/testifysec\/witness.  A pluggable framework for supply chain security. https:\/\/github.com\/testifysec\/witness."},{"key":"e_1_3_2_1_4_1","unstructured":"Vulnerability scanner for containers. https:\/\/github.com\/aquasecurity\/trivy.  Vulnerability scanner for containers. https:\/\/github.com\/aquasecurity\/trivy."},{"volume-title":"Briefing Rootm, https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/","year":"2021","key":"e_1_3_2_1_5_1","unstructured":"Executive order on improving the nation's cybersecurity. The White House , Briefing Rootm, https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/ , 2021 . Executive order on improving the nation's cybersecurity. The White House, Briefing Rootm, https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/, 2021."},{"key":"e_1_3_2_1_6_1","volume-title":"Cloud-native applications: authoring and evaluation of two deployment patterns. Master's thesis","author":"Alaisami M.","year":"2018","unstructured":"M. Alaisami . Cloud-native applications: authoring and evaluation of two deployment patterns. Master's thesis , 2018 . M. Alaisami. Cloud-native applications: authoring and evaluation of two deployment patterns. Master's thesis, 2018."},{"key":"e_1_3_2_1_7_1","volume-title":"An architecture for trustworthy and transparent digital supply chains. https:\/\/www.ietf.org\/id\/draft-birkholz-scitt-architecture-00.html","author":"Birkholz H.","year":"2022","unstructured":"H. Birkholz , A. Delignat-Lavaud , and C. Fournet . An architecture for trustworthy and transparent digital supply chains. https:\/\/www.ietf.org\/id\/draft-birkholz-scitt-architecture-00.html , 2022 . H. Birkholz, A. Delignat-Lavaud, and C. Fournet. An architecture for trustworthy and transparent digital supply chains. https:\/\/www.ietf.org\/id\/draft-birkholz-scitt-architecture-00.html, 2022."},{"key":"e_1_3_2_1_8_1","volume-title":"The national vulnerability database (nvd): Overview","author":"Booth H.","year":"2013","unstructured":"H. Booth , D. Rike , G. A. Witte , The national vulnerability database (nvd): Overview . 2013 . H. Booth, D. Rike, G. A. Witte, et al. The national vulnerability database (nvd): Overview. 2013."},{"key":"e_1_3_2_1_9_1","unstructured":"Buildpacks. Cloud-native buildpacks. https:\/\/buildpacks.io\/.  Buildpacks. Cloud-native buildpacks. https:\/\/buildpacks.io\/."},{"key":"e_1_3_2_1_10_1","volume-title":"CARNEGIE-MELLON UNIV PITTSBURGH PA","author":"Chick T. A.","year":"2021","unstructured":"T. A. Chick . Mbse for devsecops ci\/cd pipeline. Technical report , CARNEGIE-MELLON UNIV PITTSBURGH PA , 2021 . T. A. Chick. Mbse for devsecops ci\/cd pipeline. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA, 2021."},{"key":"e_1_3_2_1_11_1","volume-title":"CARNEGIE-MELLON UNIV PITTSBURGH PA","author":"Chick T. A.","year":"2021","unstructured":"T. A. Chick , A. Reffett , N. Shevchenko , and J. Yankel . Modeling devsecops to reduce the time-to-deploy and increase resiliency. Technical report , CARNEGIE-MELLON UNIV PITTSBURGH PA , 2021 . T. A. Chick, A. Reffett, N. Shevchenko, and J. Yankel. Modeling devsecops to reduce the time-to-deploy and increase resiliency. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA, 2021."},{"volume-title":"https:\/\/cloudevents.io\/","year":"2022","key":"e_1_3_2_1_12_1","unstructured":"cloudevents. Cloudevents. https:\/\/cloudevents.io\/ , 2022 . cloudevents. Cloudevents. https:\/\/cloudevents.io\/, 2022."},{"key":"e_1_3_2_1_13_1","unstructured":"CNCF. Secure software factory. https:\/\/www.cncf.io\/blog\/2022\/05\/20\/announcing-the-secure-software-factory-reference-architecture-paper\/.  CNCF. Secure software factory. https:\/\/www.cncf.io\/blog\/2022\/05\/20\/announcing-the-secure-software-factory-reference-architecture-paper\/."},{"key":"e_1_3_2_1_14_1","volume-title":"August, mimeo","author":"Curti F.","year":"2019","unstructured":"F. Curti , J. Gerlach , S. Kazinnik , M. Lee , and A. Mihov . Cyber risk definition and classification for financial risk management. Federal Reserve Bank of St Louis , August, mimeo , 2019 . F. Curti, J. Gerlach, S. Kazinnik, M. Lee, and A. Mihov. Cyber risk definition and classification for financial risk management. Federal Reserve Bank of St Louis, August, mimeo, 2019."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1017\/S0956796810000195"},{"key":"e_1_3_2_1_16_1","volume-title":"Provisioning pipelines: a managed devsecops approach to pipeline creation. Technical report","author":"Ficorilli S. T.","year":"2020","unstructured":"S. T. Ficorilli , J. A. Morales , and A. Volkmann . Provisioning pipelines: a managed devsecops approach to pipeline creation. Technical report , Carnegie Mellon University Software Engineering Institute Pittsburgh United ..., 2020 . S. T. Ficorilli, J. A. Morales, and A. Volkmann. Provisioning pipelines: a managed devsecops approach to pipeline creation. Technical report, Carnegie Mellon University Software Engineering Institute Pittsburgh United ..., 2020."},{"key":"e_1_3_2_1_17_1","unstructured":"E. U. A. for Cybersecurity. Understanding the increase in supply chain security attacks. https:\/\/www.enisa.europa.eu\/news\/enisa-news\/understanding-the-increase-in-supply-chain-security-attacks.  E. U. A. for Cybersecurity. Understanding the increase in supply chain security attacks. https:\/\/www.enisa.europa.eu\/news\/enisa-news\/understanding-the-increase-in-supply-chain-security-attacks."},{"key":"e_1_3_2_1_18_1","unstructured":"GitHub. Automate workflows from idea to production. https:\/\/github.com\/features\/actions.  GitHub. Automate workflows from idea to production. https:\/\/github.com\/features\/actions."},{"volume-title":"Code securely and faster with open source. https:\/\/github.com\/dependabot","year":"2020","key":"e_1_3_2_1_19_1","unstructured":"GitHub. Code securely and faster with open source. https:\/\/github.com\/dependabot , 2020 . GitHub. Code securely and faster with open source. https:\/\/github.com\/dependabot, 2020."},{"volume-title":"Understand your dependencies. https:\/\/deps.dev\/","year":"2022","key":"e_1_3_2_1_20_1","unstructured":"Google. Understand your dependencies. https:\/\/deps.dev\/ , 2022 . Google. Understand your dependencies. https:\/\/deps.dev\/, 2022."},{"key":"e_1_3_2_1_21_1","volume-title":"Supply chain attacks and resiliency mitigations","author":"Heinbockel W. J.","year":"2017","unstructured":"W. J. Heinbockel , E. R. Laderman , and G. J. Serrao . Supply chain attacks and resiliency mitigations . The MITRE Corporation , 2017 . W. J. Heinbockel, E. R. Laderman, and G. J. Serrao. Supply chain attacks and resiliency mitigations. The MITRE Corporation, 2017."},{"key":"e_1_3_2_1_22_1","unstructured":"T. Insider. What is the solarwinds hack and why is it a big deal? https:\/\/www.businessinsider.com\/solarwinds-hack-explained-government-agencies-cyber-security-2020-12.  T. Insider. What is the solarwinds hack and why is it a big deal? https:\/\/www.businessinsider.com\/solarwinds-hack-explained-government-agencies-cyber-security-2020-12."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3493649.3493655"},{"key":"e_1_3_2_1_24_1","unstructured":"npr. Equifax to pay up to 700 million in data breach settlement. https:\/\/www.npr.org\/2019\/07\/22\/744050565\/equifax-to-pay-up-to-700-million-in-data-breach-settlement.  npr. Equifax to pay up to 700 million in data breach settlement. https:\/\/www.npr.org\/2019\/07\/22\/744050565\/equifax-to-pay-up-to-700-million-in-data-breach-settlement."},{"key":"e_1_3_2_1_25_1","volume-title":"of Commerce. The minimum elements for a software bill of materials (sbom)","author":"T. U. S.","year":"2021","unstructured":"T. U. S. D. of Commerce. The minimum elements for a software bill of materials (sbom) . 2021 . T. U. S. D. of Commerce. The minimum elements for a software bill of materials (sbom). 2021."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_27_1","unstructured":"openSSF. Open source security foundation. https:\/\/openssf.org\/.  openSSF. Open source security foundation. https:\/\/openssf.org\/."},{"key":"e_1_3_2_1_28_1","unstructured":"OWASP. The open web application security project. https:\/\/owasp.org\/.  OWASP. The open web application security project. https:\/\/owasp.org\/."},{"key":"e_1_3_2_1_29_1","volume-title":"Software component verification standard. https:\/\/owasp.org\/www-project-software-component-verification-standard\/","author":"OWASP.","year":"2022","unstructured":"OWASP. Software component verification standard. https:\/\/owasp.org\/www-project-software-component-verification-standard\/ , 2022 . OWASP. Software component verification standard. https:\/\/owasp.org\/www-project-software-component-verification-standard\/, 2022."},{"key":"e_1_3_2_1_30_1","unstructured":"D. T. OWASP. Continuous sbom analysis platform. https:\/\/dependencytrack.org\/.  D. T. OWASP. Continuous sbom analysis platform. https:\/\/dependencytrack.org\/."},{"key":"e_1_3_2_1_31_1","volume-title":"Innovation insight for sboms. https:\/\/www.gartner.com\/en\/documents\/4011501","author":"Research G.","year":"2022","unstructured":"G. Research . Innovation insight for sboms. https:\/\/www.gartner.com\/en\/documents\/4011501 , 2022 . G. Research. Innovation insight for sboms. https:\/\/www.gartner.com\/en\/documents\/4011501, 2022."},{"key":"e_1_3_2_1_32_1","volume-title":"Orion: Go beyond package manager discovery for your sbom. https:\/\/thenewstack.io\/orion-go-beyond-package-manager-discovery-for-your-sbom\/","author":"Shripad Nadgowda L. L.","year":"2021","unstructured":"L. L. Shripad Nadgowda . Orion: Go beyond package manager discovery for your sbom. https:\/\/thenewstack.io\/orion-go-beyond-package-manager-discovery-for-your-sbom\/ , 2021 . L. L. Shripad Nadgowda. Orion: Go beyond package manager discovery for your sbom. https:\/\/thenewstack.io\/orion-go-beyond-package-manager-discovery-for-your-sbom\/, 2021."},{"key":"e_1_3_2_1_33_1","unstructured":"Sigstore. A new standard for signing verifying and protecting software. https:\/\/www.sigstore.dev\/.  Sigstore. A new standard for signing verifying and protecting software. https:\/\/www.sigstore.dev\/."},{"key":"e_1_3_2_1_34_1","unstructured":"SLSA. Supply-chain levels for software artifacts. https:\/\/slsa.dev\/.  SLSA. Supply-chain levels for software artifacts. https:\/\/slsa.dev\/."},{"key":"e_1_3_2_1_35_1","unstructured":"Snyk. Developer-first cloud native application security. https:\/\/snyk.io.  Snyk. Developer-first cloud native application security. https:\/\/snyk.io."},{"key":"e_1_3_2_1_36_1","first-page":"218","article-title":"Secure software development framework (ssdf) version 1.1","volume":"800","author":"Souppaya M.","year":"2022","unstructured":"M. Souppaya , K. Scarfone , and D. Dodson . Secure software development framework (ssdf) version 1.1 . NIST Special Publication , 800 : 218 , 2022 . M. Souppaya, K. Scarfone, and D. Dodson. Secure software development framework (ssdf) version 1.1. NIST Special Publication, 800:218, 2022.","journal-title":"NIST Special Publication"},{"key":"e_1_3_2_1_37_1","unstructured":"tekton. Catalog of shared tasks and pipelines. https:\/\/github.com\/tektoncd\/catalog.  tekton. Catalog of shared tasks and pipelines. https:\/\/github.com\/tektoncd\/catalog."},{"key":"e_1_3_2_1_38_1","first-page":"199","volume-title":"2018 USENIX Annual Technical Conference (USENIX ATC 18)","author":"Thalheim J.","year":"2018","unstructured":"J. Thalheim , P. Bhatotia , P. Fonseca , and B. Kasikci . Cntr: Lightweight {OS} containers . In 2018 USENIX Annual Technical Conference (USENIX ATC 18) , pages 199 -- 212 , 2018 . J. Thalheim, P. Bhatotia, P. Fonseca, and B. Kasikci. Cntr: Lightweight {OS} containers. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 199--212, 2018."},{"key":"e_1_3_2_1_39_1","first-page":"1393","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Torres-Arias S.","year":"2019","unstructured":"S. Torres-Arias , H. Afzali , T. K. Kuppusamy , R. Curtmola , and J. Cappos . in-toto: Providing farm-to-table guarantees for bits and bytes . In 28th USENIX Security Symposium (USENIX Security 19) , pages 1393 -- 1410 , 2019 . S. Torres-Arias, H. Afzali, T. K. Kuppusamy, R. Curtmola, and J. Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19), pages 1393--1410, 2019."},{"key":"e_1_3_2_1_40_1","volume-title":"CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States","author":"Woody C.","year":"2020","unstructured":"C. Woody , T. Chick , A. Reffett , S. PAVETTI, R. LAUGHLIN, B. FRYE, and M. BANDOR. Devsecops pipeline for complex software intensive systems: Addressing the cybersecurity challenges. Technical report , CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States , 2020 . C. Woody, T. Chick, A. Reffett, S. PAVETTI, R. LAUGHLIN, B. FRYE, and M. BANDOR. Devsecops pipeline for complex software intensive systems: Addressing the cybersecurity challenges. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States, 2020."}],"event":{"name":"Middleware '22: 23rd International Middleware Conference","sponsor":["ACM Association for Computing Machinery","USENIX Assoc USENIX Assoc","IFIP"],"location":"Quebec Quebec City Canada","acronym":"Middleware '22"},"container-title":["Proceedings of the Eighth International Workshop on Container Technologies and Container Clouds"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3565384.3565889","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3565384.3565889","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:13Z","timestamp":1750178233000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3565384.3565889"}},"subtitle":["the one security platform for modern software supply chain risks"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":40,"alternative-id":["10.1145\/3565384.3565889","10.1145\/3565384"],"URL":"https:\/\/doi.org\/10.1145\/3565384.3565889","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}