My most recent podcast

I’m pleased to report that Cybellum, an Israel-based company whose mission is “…to enable manufacturers and their suppliers to develop and maintain products that aren’t just safe, but are also secure”, has just posted a podcast I taped with them a few months ago. I’m quite pleased with the results, which are due as much to their good questions as to anything I said.

The podcast – which is only 26 minutes long – ended up being very focused on what I believe is the biggest issue preventing widespread adoption of SBOMs by end user organizations (i.e. organizations whose primary mission isn’t developing software for other organizations. Developers are already heavily using SBOMs for their internal purposes, thank you very much): the current lack of tools and scalable third-party services to utilize SBOMs and VEX documents for software risk management purposes, as well as the relative dearth of written guidance on how non-developers can use SBOMs.

I’ll warn you that, if you’d rather hear happy stories about how SBOMs and VEXes are already being widely used and how it will just take a little more of what we’re currently doing to reach component security nirvana, perhaps you need to look for another podcast. There is a huge amount of work to be done, and even what I know to be in the pipeline at the current moment is totally inadequate to address what’s needed.

However, I’m also quite optimistic that what’s needed will come, and in the not-distant future. I’m optimistic because – as a student of Milton Friedman during his heyday at the University of Chicago – I believe that free markets will ultimately both a) allow consumer demand for SBOMs to rapidly grow from its current close-to-nonexistent level, and b) “monetize” the so-far-nascent (at best) sub-markets for tools and services for widespread distribution and utilization of SBOMs for vulnerability risk management purposes.

I also want to point out that the previous podcast in this same series featured Steve Springett, the creator of Dependency-Track (which I mention in the podcast, and have referred to multiple times in these posts) and leader of the OWASP CycloneDX project (Steve is also the brains behind the current effort to solve the naming problem, one of the primary inhibitors of widespread production and utilization of SBOMs).

I recommend you also listen to that podcast, since Steve provides some very good insights into the current and future state of SBOMs and VEXes. In my opinion, Steve is the intellectual leader of the SBOM and VEX communities. The rest of us are just trying to visit the places where he’s already arrived, made a big difference, then moved on to his next challenge.

Any opinions expressed in this blog post are strictly mine, and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.