In this episode of Nerding Out With Viktor, host Viktor Petersson sits down with Steve Springett, a leading figure in the world of Software Bill of Materials (SBOMs) and the primary maintainer of CycloneDX, to explore the evolving landscape of software security and SBOMs.
Steve shares his journey into the SBOM space, starting with his early experiences in supply chain management and the creation of OWASP Dependency-Track, a project that began out of necessity to manage full-stack inventories of hardware and software. Steve discusses the challenges faced during the early days, the limitations of existing tools, and how these experiences informed his later contributions to CycloneDX.
The conversation dives deep into the technical nuances of SBOMs, including the differences between CycloneDX and SPDX, two of the most prominent SBOM standards. Steve and Viktor debate the pros and cons of each, with Steve emphasizing CycloneDX's pragmatic and automatable design philosophy. The discussion also touches on the complexities of supply chain security, including the importance of provenance, the challenges of dependency tracking, and the potential risks posed by nation-state adversaries.
Steve provides insights into the future of SBOMs and how they will likely become as standard in software development as unit testing is today. He also introduces the concept of OBOMs (Operational Bill of Materials), explaining how SBOMs can extend to cover runtime environments and services, ensuring a more comprehensive approach to managing and securing software stacks.
Key topics covered: - Steve Springett's journey into SBOM and CycloneDX - Differences between CycloneDX and SPDX - The role of provenance in software supply chains - The future of SBOMs and their importance in cybersecurity compliance - Introduction to OBOMs and how they expand the SBOM concept
If you're working in software development, DevOps, or cybersecurity, this episode is packed with practical advice and forward-thinking insights on how SBOMs are reshaping the industry. Tune in to learn from one of the leading voices in the SBOM world and stay ahead in securing your software supply chain.
Check out sbomify at sbomify.com for a tool that simplifies SBOM generation and management!
]]>