Merge pull request #14 from shiftleftcyber/jason

Adding / Updating Blog Posts

Author: j28smith

…at_is_an_sbom_and_why_should_you_care.md …at_is_an_sbom_and_why_should_you_care.mdmarketing/content/blog/2025-04-20-what_is_an_sbom_and_why_should_you_care.md renamed to marketing/content/blog/2025-03-30-what_is_an_sbom_and_why_should_you_care.md marketing/content/blog/2025-04-20-what_is_an_sbom_and_why_should_you_care.md renamed to marketing/content/blog/2025-03-30-what_is_an_sbom_and_why_should_you_care.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "What is an SBOM & Why Should You Care? 🤔💡"
-date = "2025-04-20"
+date = "2025-03-30"
 linkedin = "https://www.linkedin.com/posts/j28smith_cybersecurity-sbom-softwaresecurity-activity-7313193464173629444-8KfY"
 image = "img/thirdparty/ingredient-list-sbom.jpeg"
 +++

…n_canada_in_groceries_and_in_software.md …n_canada_in_groceries_and_in_software.mdmarketing/content/blog/2025-04-27-made_in_canada_in_groceries_and_in_software.md renamed to marketing/content/blog/2025-04-06-made_in_canada_in_groceries_and_in_software.md marketing/content/blog/2025-04-27-made_in_canada_in_groceries_and_in_software.md renamed to marketing/content/blog/2025-04-06-made_in_canada_in_groceries_and_in_software.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "'Made in Canada' - in Groceries and in Software 🛒🍁💻"
-date = "2025-04-27"
+date = "2025-04-06"
 linkedin = "https://www.linkedin.com/posts/j28smith_product-of-canada-vs-made-in-canada-activity-7315682416231096320-vusd"
 image = "img/thirdparty/made-in-vs-product-of-canada.png"
 youtube = "pApbYrNuAg4"

…-05-04-not_all_boms_are_created_equal.md …-04-13-not_all_boms_are_created_equal.mdmarketing/content/blog/2025-05-04-not_all_boms_are_created_equal.md renamed to marketing/content/blog/2025-04-13-not_all_boms_are_created_equal.md marketing/content/blog/2025-05-04-not_all_boms_are_created_equal.md renamed to marketing/content/blog/2025-04-13-not_all_boms_are_created_equal.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "Not all BOMs are created equal 👀"
-date = "2025-05-04"
+date = "2025-04-13"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaredevelopment-activity-7318222884273823745-gKGJ"
 image = "img/thirdparty/bom-vs-sbom.jpeg"
 +++

…/blog/2025-05-11-whats_inside_an_sbom.md …/blog/2025-04-20-whats_inside_an_sbom.mdmarketing/content/blog/2025-05-11-whats_inside_an_sbom.md renamed to marketing/content/blog/2025-04-20-whats_inside_an_sbom.md marketing/content/blog/2025-05-11-whats_inside_an_sbom.md renamed to marketing/content/blog/2025-04-20-whats_inside_an_sbom.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "What's Inside an SBOM? 🧠"
-date = "2025-05-11"
+date = "2025-04-20"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaredevelopment-activity-7320829663931510785-XfKw"
 image = "img/thirdparty/sbom-high-level-object-model-cyclonedx.jpeg"
 +++

…5-18-sbom_creators_and_consumers copy.md …4-27-sbom_creators_and_consumers copy.mdmarketing/content/blog/2025-05-18-sbom_creators_and_consumers copy.md renamed to marketing/content/blog/2025-04-27-sbom_creators_and_consumers copy.md marketing/content/blog/2025-05-18-sbom_creators_and_consumers copy.md renamed to marketing/content/blog/2025-04-27-sbom_creators_and_consumers copy.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "𝗪𝗵𝗼 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗯𝘂𝗶𝗹𝗱𝘀 𝗦𝗕𝗢𝗠𝘀? 𝗔𝗻𝗱 𝘄𝗵𝗼 𝗻𝗲𝗲𝗱𝘀 𝘁𝗵𝗲𝗺? 🤔🔍"
-date = "2025-05-18"
+date = "2025-04-27"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-supplychainsecurity-cybersecurity-activity-7323408174688980993-TPze"
 image = "img/thirdparty/sbom-creators-and-consumers.png"
 +++

…-05-25-why-sboms-are-not-one-and-done.md …-05-04-why-sboms-are-not-one-and-done.mdmarketing/content/blog/2025-05-25-why-sboms-are-not-one-and-done.md renamed to marketing/content/blog/2025-05-04-why-sboms-are-not-one-and-done.md marketing/content/blog/2025-05-25-why-sboms-are-not-one-and-done.md renamed to marketing/content/blog/2025-05-04-why-sboms-are-not-one-and-done.md

@@ -1,7 +1,7 @@
 +++
 author = "Jason Smith"
 title = "Why SBOMs Are Not One-and-Done 📦🔄"
-date = "2025-05-25"
+date = "2025-05-04"
 linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-softwaresupplychain-activity-7325922851973189634-o0SG"
 image = "img/thirdparty/2025-05-25-SBOMLifecycle.jpeg"
 +++

marketing/content/blog/2025-05-11-your-sbom-can-be-hacked.md

@@ -0,0 +1,37 @@
++++
+author = "Jason Smith"
+title = "Your SBOM Can Be Hacked 📦💀"
+date = "2025-05-11"
+linkedin = "https://www.linkedin.com/posts/j28smith_sbom-cybersecurity-supplychainsecurity-activity-7328855820031406080-e8UD/"
+image = "img/thirdparty/2025-06-01-sbom-attack-vectors.jpeg"
++++
+
+Yes, even the one you just generated.
+
+An SBOM (Software Bill of Materials) is supposed to bring transparency and trust to your software supply chain. But what happens when that trust is exploited?
+
+Here are just a few ways bad actors can manipulate or weaponize SBOMs:
+
+🔍 Omission of Components
+
+An SBOM that leaves out a vulnerable dependency is worse than useless - it gives a false sense of security.
+
+≠ Mismatched Versions
+
+Listing libxyz v2.1.0 when you're really running v1.4.0? Easy to do - and dangerous. You might think you've patched a CVE when you actually haven't.
+
+🎭 SBOM Spoofing
+
+Bad actors can generate fake SBOMs and pass them off as legitimate. No validation? No problem (for them).
+
+🔧 Tampering
+
+Even if your SBOM was accurate when generated, nothing stops someone from modifying it later - unless it's signed.
+
+If you can't verify that an SBOM is authentic, complete, and current, you're leaving the door open for manipulation.
+
+🧠 SBOMs without integrity are like unsealed envelopes - anyone can open it up and alter what's inside.
+
+How do you verify the integrity of your SBOMs today? Is it automated? Do you sign and verify? I'd love to hear from others navigating this. 💬👇
+
+#SBOM #CyberSecurity #SupplyChainSecurity #SecureDevelopment #SoftwareIntegrity #DevSecOps #OpenSourceSecurity #ApplicationSecurity #DigitalTrust

marketing/content/blog/2025-05-18-what-makes-signing-sboms-hard-in-practice.md

@@ -0,0 +1,43 @@
++++
+author = "Jason Smith"
+title = "🔐 What Makes Signing SBOMs Hard in Practice?"
+date = "2025-05-18"
+linkedin = "https://www.linkedin.com/posts/j28smith_sbom-supplychainsecurity-softwaresecurity-activity-7333912094414618624-AB-Y"
+image = "img/thirdparty/2025-05-18-hidden-complexity-sbom-signing.jpeg"
++++
+
+Everyone agrees SBOMs should be signed.
+
+But actually doing it? That's where things get messy.
+
+Let's talk about why.
+
+🔑 Key Management Is Not Fun
+
+Where do the keys live?  Are they stored in software or secured in hardware (HSMs)?  Who manages them and who has access?  How are they rotated?  Is there proper auditability?
+
+⚖️ Trust Models Are Inconsistent
+
+Are you using your internal CA? A third-party like Sigstore?  Something else?  What do consumers actually trust?
+
+🔄 CI/CD Integration Isn't Always Straightforward
+
+You need to sign automatically as part of your pipeline, but build tools, permissions, and environments vary wildly.
+
+👤 Identity Binding Matters
+
+It's not just that something was signed, but who signed it? And verifying that identity isn't always easy.
+
+🏢 Enterprises Want Control
+
+Many larger organizations hesitate to use public, community-run signing services. They want auditability, offline modes, and policy enforcement.
+
+Signing is essential for SBOM integrity but we need to make it realistically adoptable.
+
+There's no one-size-fits-all approach here - and that's okay.
+
+Would love to hear how others are tackling SBOM signing today.  What's worked for you?  What hasn't?  Are we even there yet?
+
+💬👇 Drop a comment or DM me. Always happy to chat.
+
+#SBOM #SupplyChainSecurity #SoftwareSecurity #DigitalSignatures #PKI #DevSecOps #OpenSourceSecurity #SBOMSigning #CyberSecurity