|
| 1 | ++++ |
| 2 | +author = "Jason Smith" |
| 3 | +title = "The Evolution of SBOMs at OwnersBox" |
| 4 | +date = "2025-06-03" |
| 5 | +linkedin = "https://www.linkedin.com/posts/j28smith_the-evolution-of-sboms-at-ownersbox-practical-activity-7335755375452823552-tvyL" |
| 6 | +image = "img/thirdparty/2025-06-03-evolution-of-sboms-at-ownersbox.png" |
| 7 | ++++ |
| 8 | + |
| 9 | +I gave a presentation at the CISA SBOM Community Weekly Meeting yesterday where I shared how we approached SBOMs in my latest role at OwnersBox. SBOM adoption here was driven by a real need rather than just to check a box on some regulatory/compliance framework requirement (these checkboxes later became an added benefit). |
| 10 | + |
| 11 | +In my presentation I covered: |
| 12 | + |
| 13 | +π± The real-world incident that triggered our SBOM journey |
| 14 | + |
| 15 | +π οΈ How we built and automated SBOMs into our pipelines |
| 16 | + |
| 17 | +π Custom tooling to turn raw SBOMs into actionable insights |
| 18 | + |
| 19 | +β¨ The impact on risk, compliance and development culture |
| 20 | + |
| 21 | +π§ Where I see SBOMs going next - towards secure and trustable software transparency |
| 22 | + |
| 23 | +During the presentation, I also shared a fun (and slightly chaotic) story from the technical due diligence process during the acquisition of the first startup I worked at. |
| 24 | + |
| 25 | +Back then, SBOMs didn't exist. So I had to manually compile a list of all third-party software we were using. And since the team wasn't yet aware of the potential acquisition, I had to do it somewhat quietly. |
| 26 | + |
| 27 | +What followed was a week or two of digging through git repos and build files, piecing everything together by hand. π€― |
| 28 | + |
| 29 | +It really drove home how far we've come and how valuable structured, automated SBOMs are today. |
| 30 | + |
| 31 | +I hope it helps others working to operationalize software transparency in their organizations and highlights that the real value goes far beyond simply checking a box for regulatory or compliance framework requirements. |
| 32 | + |
| 33 | +Thanks again Allan Friedman, PhD for the invite and continuing to bring the SBOM community together and promoting software transparency. |
| 34 | + |
| 35 | +ππ¬ Curious to see the full deck? Comment "SBOM" and I'll DM you the Google Slides link. |
| 36 | + |
| 37 | +#SBOM #SoftwareSupplyChain #DevSecOps #AppSec #CyberSecurity #CISA #Startup #SoftwareSecurity #OpenSourceSecurity #SecurityEngineering #SoftwareTransparency #SecureByDesign #SupplyChainSecurity |
0 commit comments