Currently, SBOM (“Software Bill of Materials”) includes only static build-time information. We propose to strengthen supply security by allowing vendors to also supply known benign runtime-behaviour information alongside the OCI artefacts as “Bill of Behaviour” (BoB).
BoB allows users to detect anomalies from the provided baseline at runtime and thus infer malicious behaviour or tampering using well-known cloud native tools.
We demonstrate a PoC reference implementation and discuss early user feedback. We will also discuss limitations for the vendors and the impact on their software-production.