Adding another blog post

j28smith · j28smith · commit 9fbbde839536 · 2025-09-23T21:56:31.000-04:00
Also fixing the dates of posts as they were off by a bit.  LinkedIn doesn't give a good exact date in the past.  Exporting my chat history in ChatGPT I was able to figure this out.  Why is it so hard to show a timestamp in these systems?!?!
diff --git a/marketing/content/blog/2025-03-30-what_is_an_sbom_and_why_should_you_care.md b/marketing/content/blog/2025-03-30-what_is_an_sbom_and_why_should_you_care.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "What is an SBOM & Why Should You Care? 🤔💡"
-date = "2025-04-20"
+date = "2025-03-30"
 linkedin = "https://www.linkedin.com/posts/j28smith_cybersecurity-sbom-softwaresecurity-activity-7313193464173629444-8KfY"
 image = "img/thirdparty/ingredient-list-sbom.jpeg"
 +++
diff --git a/marketing/content/blog/2025-04-06-made_in_canada_in_groceries_and_in_software.md b/marketing/content/blog/2025-04-06-made_in_canada_in_groceries_and_in_software.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "'Made in Canada' - in Groceries and in Software 🛒🍁💻"
-date = "2025-04-27"
+date = "2025-04-06"
 linkedin = "https://www.linkedin.com/posts/j28smith_product-of-canada-vs-made-in-canada-activity-7315682416231096320-vusd"
 image = "img/thirdparty/made-in-vs-product-of-canada.png"
 youtube = "pApbYrNuAg4"
diff --git a/marketing/content/blog/2025-04-13-not_all_boms_are_created_equal.md b/marketing/content/blog/2025-04-13-not_all_boms_are_created_equal.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "Not all BOMs are created equal 👀"
-date = "2025-05-04"
+date = "2025-04-13"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaredevelopment-activity-7318222884273823745-gKGJ"
 image = "img/thirdparty/bom-vs-sbom.jpeg"
 +++
diff --git a/marketing/content/blog/2025-04-20-whats_inside_an_sbom.md b/marketing/content/blog/2025-04-20-whats_inside_an_sbom.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "What's Inside an SBOM? 🧠"
-date = "2025-05-11"
+date = "2025-04-20"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaredevelopment-activity-7320829663931510785-XfKw"
 image = "img/thirdparty/sbom-high-level-object-model-cyclonedx.jpeg"
 +++
diff --git a/marketing/content/blog/2025-04-27-sbom_creators_and_consumers copy.md b/marketing/content/blog/2025-04-27-sbom_creators_and_consumers copy.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "𝗪𝗵𝗼 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗯𝘂𝗶𝗹𝗱𝘀 𝗦𝗕𝗢𝗠𝘀? 𝗔𝗻𝗱 𝘄𝗵𝗼 𝗻𝗲𝗲𝗱𝘀 𝘁𝗵𝗲𝗺? 🤔🔍"
-date = "2025-05-18"
+date = "2025-04-27"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-supplychainsecurity-cybersecurity-activity-7323408174688980993-TPze"
 image = "img/thirdparty/sbom-creators-and-consumers.png"
 +++
diff --git a/marketing/content/blog/2025-05-04-why-sboms-are-not-one-and-done.md b/marketing/content/blog/2025-05-04-why-sboms-are-not-one-and-done.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "Why SBOMs Are Not One-and-Done 📦🔄"
-date = "2025-05-25"
+date = "2025-05-04"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaresupplychain-activity-7325922851973189634-o0SG"
 image = "img/thirdparty/2025-05-25-SBOMLifecycle.jpeg"
 +++
diff --git a/marketing/content/blog/2025-05-11-your-sbom-can-be-hacked.md b/marketing/content/blog/2025-05-11-your-sbom-can-be-hacked.md
@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "Your SBOM Can Be Hacked 📦💀"
-date = "2025-06-01"
+date = "2025-05-11"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-supplychainsecurity-activity-7328855820031406080-e8UD/"
 image = "img/thirdparty/2025-06-01-sbom-attack-vectors.jpeg"
 +++
diff --git a/marketing/content/blog/2025-05-18-what-makes-signing-sboms-hard-in-practice.md b/marketing/content/blog/2025-05-18-what-makes-signing-sboms-hard-in-practice.md
@@ -0,0 +1,43 @@
++++
+author = "Jason Smith"
+title = "🔐 What Makes Signing SBOMs Hard in Practice?"
+date = "2025-05-18"
+linkedin = "https://www.linkedin.com/posts/j28smith_sbom-supplychainsecurity-softwaresecurity-activity-7333912094414618624-AB-Y"
+image = "img/thirdparty/2025-05-18-hidden-complexity-sbom-signing.jpeg"
++++
+
+Everyone agrees SBOMs should be signed.
+
+But actually doing it? That's where things get messy.
+
+Let's talk about why.
+
+🔑 Key Management Is Not Fun
+
+Where do the keys live?  Are they stored in software or secured in hardware (HSMs)?  Who manages them and who has access?  How are they rotated?  Is there proper auditability?
+
+⚖️ Trust Models Are Inconsistent
+
+Are you using your internal CA? A third-party like Sigstore?  Something else?  What do consumers actually trust?
+
+🔄 CI/CD Integration Isn't Always Straightforward
+
+You need to sign automatically as part of your pipeline, but build tools, permissions, and environments vary wildly.
+
+👤 Identity Binding Matters
+
+It's not just that something was signed, but who signed it? And verifying that identity isn't always easy.
+
+🏢 Enterprises Want Control
+
+Many larger organizations hesitate to use public, community-run signing services. They want auditability, offline modes, and policy enforcement.
+
+Signing is essential for SBOM integrity but we need to make it realistically adoptable.
+
+There's no one-size-fits-all approach here - and that's okay.
+
+Would love to hear how others are tackling SBOM signing today.  What's worked for you?  What hasn't?  Are we even there yet?
+
+💬👇 Drop a comment or DM me. Always happy to chat.
+
+#SBOM #SupplyChainSecurity #SoftwareSecurity #DigitalSignatures #PKI #DevSecOps #OpenSourceSecurity #SBOMSigning #CyberSecurity
diff --git a/marketing/static/img/thirdparty/2025-05-04-SBOMLifecycle.jpeg b/marketing/static/img/thirdparty/2025-05-04-SBOMLifecycle.jpeg
diff --git a/marketing/static/img/thirdparty/2025-05-11-sbom-attack-vectors.jpeg b/marketing/static/img/thirdparty/2025-05-11-sbom-attack-vectors.jpeg
diff --git a/marketing/static/img/thirdparty/2025-05-18-hidden-complexity-sbom-signing.jpeg b/marketing/static/img/thirdparty/2025-05-18-hidden-complexity-sbom-signing.jpeg
