Hello Reader, In this episode, I'm doing a mega-recap, focused on SBOMs (Software Bills of Materials). Over three podcast episodes, I've been honored to talk to some of the biggest names in the SBOM community about why SBOMs matter, what’s driving interest right now, and how they can help us make software safer and more trustworthy “Software Bill of Materials is the radical notion that we should actually know what’s in our software.” - Allan Friedman of CISA, known as the father of SBOM I love this quote because it sums up the core reason for SBOMs: we need to see what’s under the hood before we can protect it. I first got involved with SBOMs just over a year ago, driven by my goal to make Screenly adhere to Secure by Design. During that journey, I co-led a CISA working group on SBOM Generation (white paper coming soon). Diving deeper into SBOMs showed me key shortcomings in existing tooling, so I created sbomify (also available on GitHub) to help fill those gaps around SBOM life cycle. Why This MattersSoftware Bills of Materials are like a list of ingredients for our software. They tell us what parts go into the code, so we can track down risks or vulnerabilities quickly. A few highlights:
Why NowUS Executive Order (14028)
EU Cyber Resilience Act (CRA)
Rising Demand Everywhere
Episode SummariesI combined three shows on SBOMs for one mega recap: Allan Friedman - The father of SBOMsAllan, a key SBOM champion at CISA (Cybersecurity and Infrastructure Security Agency), explained how modern software depends heavily on open source. We also talked about the US Executive Order and why the government wants more transparency. Episode home, or watch on YouTube, Spotify or Apple Podcast. Steve Springett - Creator of CycloneDXSteve is the brain behind CycloneDX, an SBOM standard. We chatted about how SBOMs need to be a repeatable process, not a one-time event. He stressed the importance of automation and how tools can plug into a CI/CD pipeline. Steve is also the creator creator of the now famous (SBOM based) security audit tool Dependency Track. Episode home, or watch on YouTube, Spotify or Apple Podcast. Kate Stewart and Gary O’Neall - SPDXThese leaders in the SPDX community shared how SPDX began with open source license compliance. Now it’s also used for security. We compared SPDX and CycloneDX and how each tackles SBOM data. In the end, both formats let us answer the same question: “What’s in our software?” Episode home, or watch on YouTube, Spotify or Apple Podcast. Thanks for reading my SBOM mega-recap! If you have questions or stories about SBOMs, I’d love to hear them. I hope this newsletter helps you see how powerful SBOMs can be for security, compliance, and peace of mind. If you have any questions, comments or just want to catch up - just reply to this email. Many thanks, Social: Connect with me on Twitter, LinkedIn or Mastadon. |
This podcast and newsletter focus on clear conversations about technology, security, and modern software. Experts share insights on DevOps tips, open source projects, cybersecurity, and Europe's move toward its own cloud services. You will hear about continuous integration, airplane hacking, and new laws that affect the tech industry. Each show explores real problems and fresh solutions in the digital world. By subscribing, you will keep up with the latest trends in software, gain helpful advice from pros, and stay current in a fast-changing environment. We also talk about supply chain security, IoT, and the details of building strong systems. This blend of technical ideas with real-world viewpoints is a great resource if you want to grow your skills, learn about new technology, and connect with others who love all things tech.
Hi Reader, As someone who has managed IoT devices at scale at Screenly, I wish I knew what I know now when I first started. Learning about Yocto early on would have saved me a lot of pain. That’s what this episode is about." “This is why I wanted to do an episode on Yocto: to save people the time and agony we wasted trying to solve this ourselves.” Why this matters Here’s the common story. You build a prototype on a Raspberry Pi (or similar). It works. Maybe you launch a Kickstarter. You get...
Hi Reader, When we featured Earthly last week, we never imagined they’d unveil a major pivot just days later. This week we’re diving into the startup world with my good friend Kevin Henrikson, talking about how to build and scale engineering teams. We cover everything from the early days of open‑source at Zimbra, to successful exits, to designing systems that last. Why does this matter? Kevin has founded and sold several companies, including Accompli, later rebranded as Outlook Mobile after...
Hi Reader, The CI/CD landscape is changing. This week we're unpacking this with the founder of Earthly. Why This Matters In my latest episode, I sit down with Vlad A Ionescu, the founder of Earthly. Earthly is changing how teams build and deliver code. They have almost 12,000 stars on GitHub, plus customers like Adobe, Intel, VMWare, and Zapier. That tells me they're onto something big. Why Now There's a major shift happening in CI/CD. Tools like Earthly and Dagger let developers run entire...