The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
Malicious compliance has been highlighted in previous KubeCon talks as a challenge for software composition analysis, as it conceals OS and package information in container images and hides vulnerabilities. In this talk, we analyze how the landscape evolved over the past two years and propose improvements for SBOM generation. We found that open-source and cloud providers' tools remain vulnerable, which is even more visible in compressed images from public container registries. We uncover another form of malicious compliance with no standardization of package identifier format, resulting in inconsistencies in detected vulnerabilities between SBOM tools. To address this, we introduce an open-source methodology for layer-by-layer container image analysis, reconstructing complete history of file modifications and retrieving package metadata and package-related content, improving file coverage and SBOM accuracy. We finally outline concrete steps for advancing SBOM resilience and accuracy.
Agathe Blaise is currently a research engineer at Thales (Gennevilliers, France). She received the Ph.D. degree in Computer Science from LIP6, Sorbonne University (Paris, France) in 2020. Her research interests focus on cloud computing security, studying various aspects (container... Read More →
I've always enjoyed breaking things, that's why I work in security. After some years in industry working as DevOps, I moved to academia, focusing on cloud network security.
