Building Better Software Transparency: My SBOM Mega-Recap


Hello Reader,

In this episode, I'm doing a mega-recap, focused on SBOMs (Software Bills of Materials). Over three podcast episodes, I've been honored to talk to some of the biggest names in the SBOM community about why SBOMs matter, what’s driving interest right now, and how they can help us make software safer and more trustworthy

“Software Bill of Materials is the radical notion that we should actually know what’s in our software.”

- Allan Friedman of CISA, known as the father of SBOM

I love this quote because it sums up the core reason for SBOMs: we need to see what’s under the hood before we can protect it.

I first got involved with SBOMs just over a year ago, driven by my goal to make Screenly adhere to Secure by Design. During that journey, I co-led a CISA working group on SBOM Generation (white paper coming soon). Diving deeper into SBOMs showed me key shortcomings in existing tooling, so I created sbomify (also available on GitHub) to help fill those gaps around SBOM life cycle.

Why This Matters

Software Bills of Materials are like a list of ingredients for our software. They tell us what parts go into the code, so we can track down risks or vulnerabilities quickly. A few highlights:

  • Transparency: SBOMs let us see inside our software. We can spot which libraries are used and who wrote them.
  • Security and Risk: When people discover a big flaw (like Log4j), SBOMs help us see if we’re affected.
  • Compliance: Regulations such as the US Executive Order on cybersecurity and the EU Cyber Resilience Act make SBOMs more important than ever.

Why Now

US Executive Order (14028)

  • The White House said federal agencies must demand better security practices, including SBOMs, from software suppliers.
  • This has pushed private companies to adopt SBOM tools, so they can quickly prove what’s inside their software.

EU Cyber Resilience Act (CRA)

  • Europe is also raising the bar. Under the CRA, companies must keep a machine-readable SBOM for products sold in the EU.
  • This helps everyone find vulnerabilities and fix them faster.

Rising Demand Everywhere

  • Customers now ask for SBOMs as part of security and license compliance reviews.
  • Large manufacturers (like medical device makers) see SBOMs as table stakes. Even SaaS providers are exploring SBOMs to increase transparency.
  • Compliance frameworks (SOC2, NIST Cybersecurity Framework, ISO27001, PCI DSS etc) are all moving towards this SBOM as a universal inventory of software.

Episode Summaries

I combined three shows on SBOMs for one mega recap:

Allan Friedman - The father of SBOMs

Allan, a key SBOM champion at CISA (Cybersecurity and Infrastructure Security Agency), explained how modern software depends heavily on open source. We also talked about the US Executive Order and why the government wants more transparency.

video preview

Episode home, or watch on YouTube, Spotify or Apple Podcast.

Steve Springett - Creator of CycloneDX

Steve is the brain behind CycloneDX, an SBOM standard. We chatted about how SBOMs need to be a repeatable process, not a one-time event. He stressed the importance of automation and how tools can plug into a CI/CD pipeline.

Steve is also the creator creator of the now famous (SBOM based) security audit tool Dependency Track.

video preview

Episode home, or watch on YouTube, Spotify or Apple Podcast.

Kate Stewart and Gary O’Neall - SPDX

These leaders in the SPDX community shared how SPDX began with open source license compliance. Now it’s also used for security. We compared SPDX and CycloneDX and how each tackles SBOM data. In the end, both formats let us answer the same question: “What’s in our software?”

video preview

Episode home, or watch on YouTube, Spotify or Apple Podcast.

Thanks for reading my SBOM mega-recap! If you have questions or stories about SBOMs, I’d love to hear them. I hope this newsletter helps you see how powerful SBOMs can be for security, compliance, and peace of mind.

If you have any questions, comments or just want to catch up - just reply to this email.

Many thanks,
Viktor

Social: Connect with me on Twitter, LinkedIn or Mastadon.
Podcast: Subscribe on YouTube, Spotify or Apple Podcast.

Nerding Out with Viktor

This podcast and newsletter focus on clear conversations about technology, security, and modern software. Experts share insights on DevOps tips, open source projects, cybersecurity, and Europe's move toward its own cloud services. You will hear about continuous integration, airplane hacking, and new laws that affect the tech industry. Each show explores real problems and fresh solutions in the digital world. By subscribing, you will keep up with the latest trends in software, gain helpful advice from pros, and stay current in a fast-changing environment. We also talk about supply chain security, IoT, and the details of building strong systems. This blend of technical ideas with real-world viewpoints is a great resource if you want to grow your skills, learn about new technology, and connect with others who love all things tech.

Read more from Nerding Out with Viktor

Hi Reader, I just got back home after a week in Las Vegas for what’s arguably the biggest cybersecurity event of the year: Hacker Summer Camp. For those who haven’t been, it’s basically two legendary conferences back-to-back: Black Hat and DEF CON plus countless side events and parties where vendors try to outshine each other. If you work in security, you’re there. After a few years away, I decided it was time to pay homage again. The week was packed with meetings, great talks, and, of...

Hi Reader, This week we have yet-another episode on the topic of supply chain security. This time, I sit down with Niklas Düster, the co-lead of Dependency-Track (the creator and other co-lead being Steve Springett that I've had on the show before). Why does this matter? I build every app on top of other people’s code. Those outside pieces can hide holes that bad actors love. Dependency-Track shines a bright light on every part I borrow. It finds weak spots fast, so I can fix them before...

Hi Reader, Why does this matter? Last year I launched Viktopia Studio, my tiny one-man-army startup studio that runs on an open-core plan. I have loved the studio idea ever since Kevin Rose tried it with Milk. I even played with this model back in 2009. My co-founder and I built WireLoad as a software lab that could spin out many products. We scored some early hits with Blotter, once a top-10 productivity app for macOS, and YippieMove, an email-migration tool. Both later faded, but Screenly...