Hello Reader, In this episode, I'm doing a mega-recap, focused on SBOMs (Software Bills of Materials). Over three podcast episodes, I've been honored to talk to some of the biggest names in the SBOM community about why SBOMs matter, what’s driving interest right now, and how they can help us make software safer and more trustworthy “Software Bill of Materials is the radical notion that we should actually know what’s in our software.” - Allan Friedman of CISA, known as the father of SBOM I love this quote because it sums up the core reason for SBOMs: we need to see what’s under the hood before we can protect it. I first got involved with SBOMs just over a year ago, driven by my goal to make Screenly adhere to Secure by Design. During that journey, I co-led a CISA working group on SBOM Generation (white paper coming soon). Diving deeper into SBOMs showed me key shortcomings in existing tooling, so I created sbomify (also available on GitHub) to help fill those gaps around SBOM life cycle. Why This MattersSoftware Bills of Materials are like a list of ingredients for our software. They tell us what parts go into the code, so we can track down risks or vulnerabilities quickly. A few highlights:
Why NowUS Executive Order (14028)
EU Cyber Resilience Act (CRA)
Rising Demand Everywhere
Episode SummariesI combined three shows on SBOMs for one mega recap: Allan Friedman - The father of SBOMsAllan, a key SBOM champion at CISA (Cybersecurity and Infrastructure Security Agency), explained how modern software depends heavily on open source. We also talked about the US Executive Order and why the government wants more transparency. Episode home, or watch on YouTube, Spotify or Apple Podcast. Steve Springett - Creator of CycloneDXSteve is the brain behind CycloneDX, an SBOM standard. We chatted about how SBOMs need to be a repeatable process, not a one-time event. He stressed the importance of automation and how tools can plug into a CI/CD pipeline. Steve is also the creator creator of the now famous (SBOM based) security audit tool Dependency Track. Episode home, or watch on YouTube, Spotify or Apple Podcast. Kate Stewart and Gary O’Neall - SPDXThese leaders in the SPDX community shared how SPDX began with open source license compliance. Now it’s also used for security. We compared SPDX and CycloneDX and how each tackles SBOM data. In the end, both formats let us answer the same question: “What’s in our software?” Episode home, or watch on YouTube, Spotify or Apple Podcast. Thanks for reading my SBOM mega-recap! If you have questions or stories about SBOMs, I’d love to hear them. I hope this newsletter helps you see how powerful SBOMs can be for security, compliance, and peace of mind. If you have any questions, comments or just want to catch up - just reply to this email. Many thanks, Social: Connect with me on Twitter, LinkedIn or Mastadon. |
This podcast and newsletter focus on clear conversations about technology, security, and modern software. Experts share insights on DevOps tips, open source projects, cybersecurity, and Europe's move toward its own cloud services. You will hear about continuous integration, airplane hacking, and new laws that affect the tech industry. Each show explores real problems and fresh solutions in the digital world. By subscribing, you will keep up with the latest trends in software, gain helpful advice from pros, and stay current in a fast-changing environment. We also talk about supply chain security, IoT, and the details of building strong systems. This blend of technical ideas with real-world viewpoints is a great resource if you want to grow your skills, learn about new technology, and connect with others who love all things tech.
Hi Reader, This week we talk about remote work and how it has shaped the world in a post-COVID world. As someone who as worked remotely for over 15 years, I just can't imagine commuting into an office every day. And I'm not alone. COVID was the catalyst that to normalized remote work for the masses. Why does this matter? Big names just doubled down on office life. Amazon and Dell now want folks at their desks five days a week. (reuters.com, reuters.com) Remote roles are scarce but hot. Only...
Hi Reader, My new episode of Nerding Out with Viktor just dropped, and it is a good one. I sat down with engineer and Web3 builder Vlad Trifa to cut through the hype and talk about what crypto, blockchain, and the Internet of Things really mean for us right now. Why does this matter? Trust you can check. Vlad says blockchains are “finger pointing as a service,” a shared ledger where everyone can see who did what and when. That keeps companies honest and data clean. Real-world use. From...
Hi Reader, Last time, we talked about Yocto and how it gives you full control over your Linux stack, from the kernel up. But owning the OS is only half the story. LogoFAIL and PixieFAIL made this brutally clear. These BIOS-level bugs hit hundreds, if not thousands, of device models across vendors like Lenovo, Acer, and Intel. They slipped in before the OS even booted and to this day, many vendors still haven’t patched them. Why this matters “The vendor’s key is fused. The customer can’t do...