Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
SBOMs, CycloneDX, and Software Security with Steve Springett
In this episode of Nerding Out With Viktor, Steve Springett joins Viktor Petersson for a thought-provoking conversation on the future of software security and compliance. As they delve into the world of Cyclone DX, it becomes clear that standardization is key to unlocking true autonomy in software communication.
Steve, one of five core working group stewards overseeing Cyclone DX’s adoption within ECMA International, shares his expertise with Viktor. He explains how their community-driven approach ensures that TC 54 TG 1 remains aligned with industry needs. The discussion touches on the importance of sharing information across disparate systems, dependency tracking, and SBOMs (Software Bill of Materials), highlighting the potential for a single mainstream option if standards are adopted by big cloud vendors.
The conversation takes an interesting turn when Viktor asks about the concept of different types of SBOMs within CycloneDX. Steve explains that this approach allows for the creation of a single bill of materials by linking different components together. However, even in small deployments, this leads to multiple SBOMs, raising questions about best practices around production and consumption.
Steve emphasizes that CycloneDX represents a mix of existing SDLC (Software Development Life Cycle) and software asset management lifecycles, making it relatable to developers and IT professionals. He shares his vision for the future of software security and compliance, where organizations can communicate autonomously through standardized SBOMs.
Throughout their conversation, Viktor asks insightful questions, delving into topics such as the best practices around producing and consuming multiple SBOMs. Steve highlights that there’s no one-size-fits-all solution, but rather a need for flexibility in approaching software security and compliance.
As they geek out over the latest developments in SBOMs, it becomes clear that standardization is key to unlocking true autonomy in software communication. The conversation showcases Steve’s expertise as a pioneer in software security and compliance, providing listeners with practical knowledge and industry insights that can be applied to their own work.
Viktor asks Steve about his experience working on CycloneDX and how it compares to other SBOM standards like SPDX. Steve explains the differences between the two, highlighting Cyclone DX’s pragmatic and automatable design philosophy. He also discusses the challenges of dependency tracking and the importance of provenance in software supply chains.
As they discuss the future of SBOMs, Viktor asks if big cloud vendors would adopt a standard option, making it as common as unit testing is today. Steve emphasizes that CycloneDX can represent all kinds of things, hardware, software, containers, services, and more. He explains that while some organizations may choose to put everything into a single bill of materials, others may find it easier to separate them out and make everything linkable.
Steve shares his vision for the future of SBOMs, where organizations can communicate autonomously through standardized SBOMs. He emphasizes the importance of flexibility in approaching software security and compliance, highlighting that Cyclone DX represents a mix of existing SDLC and software asset management lifecycles.
Throughout their conversation, Viktor asks insightful questions, delving into topics such as best practices around producing and consuming multiple SBOMs. Steve highlights that there’s no one-size-fits-all solution, but rather a need for flexibility in approaching software security and compliance.
As they wrap up their discussion, Steve mentions Project Koala, which is using a similar approach to Cyclone DX. He encourages listeners to join the community work, highlighting that it’s free for anyone to participate. Viktor shares his enthusiasm for the project, emphasizing the potential for standardized SBOMs to transform the way we communicate software information.
Overall, this episode of Nerding Out With Viktor offers a thought-provoking conversation on the future of software security and compliance, showcasing Steve Springett’s expertise and vision for a more standardized approach. As listeners tune in, they’ll gain valuable insights into the importance of standardization in software communication, the challenges and opportunities surrounding multiple SBOMs, and the innovative approaches being taken by industry leaders like Steve Springett.
Key topics covered:
- Steve Springett’s journey into SBOM and Cyclone DX
- Differences between CycloneDX and SPDX
- The role of provenance in software supply chains
- The future of SBOMs and their importance in cybersecurity compliance
- Introduction to O-BOMs (Operational Bill of Materials) and how they expand the SBOM concept
If you’re working in software development, DevOps, or cybersecurity, this episode is packed with practical advice and forward-thinking insights on how SBOMs are reshaping the industry.
Found an error or typo? File PR against this file.