Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Nerding Out on Software Supply Chain Security with ITSPmagazine's Sean Martin
Play On
17 AUG • 2025
0 mins
Share:
Sean Martin’s journey into software security spans over three decades, but his latest focus, software supply chain security, feels more relevant than ever. As co-founder of ITSPmagazine and a veteran of countless product launches at Symantec, Sean brings a rare operational lens to security.
In this crossover episode of Nerding out with Viktor, recorded live at Hacker Summer Camp, Sean joins me to unpack what’s changing in the security landscape, from SBOM adoption to the increasing pressure from regulations like the CRA. We explore how supply chain security is becoming table stakes, how transparency is replacing vague claims (“saying you’re secure means absolutely nothing”), and why SBOMs are evolving into real-time operational assets rather than static compliance artifacts.
The conversation dives deep into practical workflows, from integrating SBOMs in CI/CD to refactoring legacy systems and building AI-powered developer agents. We discuss why automation and guardrails are critical when working with LLMs, and how engineers may soon supervise fleets of purpose-built agents instead of writing every line of code themselves.
From fish tank hacks to IoT compliance theatre, the episode is full of examples where security promises break down without real architecture behind them. Sean’s three decades of experience shine through as he connects historical patterns to current challenges, showing how the fundamentals of good security architecture remain constant even as the tools and threats evolve.
Transcript
Show/Hide Transcript
Viktor, fancy meeting you here.
Small world.
I haven't seen you in a few weeks.
It's been a few weeks.
Yes.
Other side of the pond.
Outside of the pond.
It was Barcelona.
And London.
And London, that's right.
I forgot about London.
I just bumped into you there as well.
It was a bump in moment.
Yes.
Yeah.
But I got to meet you in Barcelona.
That's right.
Upside Europe.
I appreciate you and what you do and how you think, even in the short period of time we had to chat.
So I'm excited to see you in Vegas.
Likewise.
No, it's.
We've been talking about doing a cross show episode.
You talk about you, what you're doing.
I tell you what I'm doing.
Yes.
But while we're here in Vegas.
Hacker Summer Camp, Black Hat, DEFCON, all the other.
All the other fun stuff going on here.
Yes, we'll do a little.
Little recap of some of those things.
Let's do it.
So for my audience.
Yes.
A bit of background yourself.
Yes.
So my name is Viktor Petersson.
Done a few startups over the years.
My most recent company is an SBOM artifact platform to manage the lifecycle SBOMs called sbomify.
That's what I'm working on now.
And I've emerged myself into the world of SBOMs for a year and a half or so by now and really started nerding out about these JSON files that really shouldn't be exciting.
But it's what you could do with them.
It's what you can do with them.
But it enables.
It's exciting.
Not so much to file themselves.
So that's what I've been doing.
And I got a podcast.
This is a crossover called Nerding Out with Viktor, that you can find on all platforms where I interview basically my list of every episode is like, would I watch this myself?
And so it's all people in the security world, tech world, have had the leaders in SBOM world.
I had people from all walks of life in tech and just nerd out with them for an hour or video.
And.
Yeah, and people seem to like it.
So that's.
That's brief [story] for myself.
My backstory.
Yeah, nice one.
So I'll do the same for you.
Yeah, do for you.
Yeah.
So I have a bit of gray hair.
30 plus years tinkering in cybersecurity and some IT in there as well.
Building apps, securing apps, taking them to market, and now I talk about all that stuff.
That's why we're here.
I don't know how many hundreds of products I brought to market with Symantec and then I went to a few startups to do the same.
And yeah, I think the thing I like to say is Symantec bought a lot of companies and products.
Yes, I built the homegrown stuff.
Very few things got built inside.
Right.
But the ones that did were you.
Had the fun of doing that, which a lot of challenges getting budgets and teams and anyway, it was a lot of fun.
Great experience.
And I have, I think, like a project manager.
Everything looks like a project.
Yeah, yeah.
And so that serves me well on some of the things that I talk about on my podcast, which my co founder, Marco and I started its magazine 11 years ago here at Black Hat.
That's a long time ago.
That was a long time ago.
You produce a lot more than I have by now.
I think I have.
Well, there's 300, just shy of 300 on.
On the new platform and then I had maybe 100 on the previous platform.
That's a lot of content.
Yeah.
And almost 3,000 across all the shows.
Oh, wow.
So a few episodes to listen to there.
A few more than I have.
It's a lot of work, as you know.
Yes, it is.
But I, on my show, I. I look at things operationally so as a project, as a program, and how do we take cool security technologies and enable teams to get the value out of those things in a way that supports the business objective.
So I'm talking to CISO.
I'm not one.
I talk hopefully speak well to CISO and I'm not doing the speaking.
I have guests on who have been CISOs or look at risk or look at whatever and help them hopefully educate or at a minimum make people rethink how.
It's the outside view.
Right.
It's like you're looking at stuff from different angle and repackaging it.
Yeah.
So I have a vision that security can actually make the business better.
Oh, I am strong believer in that.
Not just be a cost center that protects the business.
Timely, yeah, I think that's really.
We have seen a shift driven largely by regulation, I would argue in the last year we spoke, whether it's Barcelona, right?
Where security no longer is a nice job, it's shifting to a must have from a regulatory perspective.
Particularly you see that in Europe right now with CRA coming through.
That's a big driver.
And kind of looping that back.
What we're saying here to like SBOMs.
Right.
It's like I see a world where in the coming years, SBOMs will be the vehicle that would be part of all the compliance frameworks.
So like tying into what you're saying about security not being a nice tab, security being not a tick box, but it's a mandatory thing that you do and once you get that, it becomes operational and that's important.
Certainly from a marketing perspective, we've seen it shift from we're not going to share anything that we do with security to we want to expose.
We're not that demonstrate that we do things properly, whatever that means as a differentiator.
So market advantage.
That has always been the problem with security.
I've spoken about this in one model company, Screenly, we've had it as we spoke about security a lot.
So what a company do secure signage and we talk this a lot because every single company out there, they will say they're secure.
But what does that mean?
Saying they're secure means absolutely nothing.
No single company out there will say were insecure.
Right.
So quantifying that and that transparency element of that is so important and forcing that you can see things like Secure by Design.
There's a meet up here tonight in Vegas about Secure by Design.
But these vehicles are driving change to the industry and I think that's super important.
And it goes from what does my operations look like?
Am I building, picking the right software to run the business?
Am I building right software to run the business?
Am I monitoring all that?
Am I responding properly and in time?
Are we going to be in business tomorrow or are we going to hit.
How your supply chain looking?
How's your software supply chain looking?
It's not a trivial problem.
Right.
And there are definitely companies out there that are proactive about this, that are really doing a good job.
But this will not change without a regulatory change.
Right.
And the compliance change.
Right.
Because security is market failure.
That's it.
It's never gonna solve itself without a legal push.
So I think that's why it's really timely to do all these security conversations because we're finally starting to see the tide turning and it's actually becoming.
And I see this firsthand in Screenly, the conversation you're having are so different today than five years ago because people ask the right questions.
They never used to do that.
And that's a very good thing, I think.
Yeah.
And one of the things I'm interested in your perspective on what you've seen just being here the last couple days.
I know you haven't been black hat proper, but you're heading to DEFCON soon.
So I want to give your perspective on that.
But some of the things we.
Mark and I did an episode webinar, kind of predicting what might we see in here.
And of course, we couldn't avoid generic.
AI, of course, mandatory buzzword.
Now we take that off for this episode.
Unavoidable, one thing, and certainly that was part of pretty much every conversation.
I just recorded the session looking at that and my other guest, Ginny, his perspective was we really need to be focusing on securing AI.
And I was telling him, I'm sure there are vendors here.
I didn't cross them this week, but I'm sure there are vendors here that do that.
I know there are.
I didn't have a chance to talk to them.
A lot of what I saw was how to use AI to secure the business and make security operations better.
And it ranged from very specific.
I have this task.
I can automate some agent or micro agent to I've built a platform where you can do anything you want, run multiple LLMs, create multiple agents, orchestrate that stuff however you like.
So a wide range of what's possible.
And the point I want to make with that is what's inspiring to me is that AI, in my sense or my view, allows us to explore.
Yes, allows us to explore in a fairly safe way.
I think we can set up environments to see by pulling this lever, creating this thing, attaching that data, orchestrating sort of, we can look at different ways to solve a problem that we may have solved previously using old technologies or bound to legacy systems that prevent us from doing certain things.
So I just have this view that we can take a step back and rethink how we're running the business, how we deploy all of these systems and how we deploy the data and where it's located and how we segment it and.
And how we put policies around that and how we protect it and detect and monitor all this stuff.
Every element of that can be rethought and potentially in a way that's not too disruptive.
Yeah.
I mean, there's so much to unpack in that.
Right.
Because first of all, like, we have never lived through a time where it's cheaper, easy to produce code of various quality.
Right.
Work with any of these LLMs.
I best describe it as you work with a bipolar person and it's simultaneously the most intelligent person you ever met and the most stupid person you've ever met, and you never know who's going to reply.
And that's how I see work with these tools.
Right.
And what that means is that we can Generate so much code so quickly and we can do prototypes so quickly and that's fantastic.
And you can solve internal problems and internal.. you can build internal applications that were not cost effective priority.
So you can solve very niche problems for internal problems.
That's fantastic.
The problem is when you try to productize those and put them on the public Internet and you like if you haven't put the right guardrails in place.
Cause that's really where it comes.
It's kind of ties full circles to supply chain security.
Right.
Because these LLMs will happily just chuck in anything in there.
And they will depends what they're trained on too.
Sure.
I mean they're trained on GitHub and GitHub is full of both ridiculously good code, a ridiculously bad code.
Right.
So putting those plumbing framework in place is so paramount to getting a good outcome.
And I've played a lot with these tools over the last year and that's what I keep going back to.
Like you need to start with the guardrails.
Like if you start with the guardrails and you get that right, then you can start doing intertechnics and you can do.
Well, because you're not going to fall off the cliff.
No, exactly.
But like give you very stupid example package management.
These LLMs like they will happily just edit your log files and just like inject crap in there and you're like hold on a second.
Like I didn't, I don't want you to deal with package manager.
There are package managers to do this and they work better for other reasons.
Like how do I know?
Like when you ask to add a package, it will add an old version for instance which is probably vulnerable to issues.
Right.
So.
So again coming down to this guardrails to do righ,
and building the blueprints in a, basically the blueprint that you would do when you would by yourself but you do it in.
You have to basically force the agents to actually do that for you.
So I think there's obviously it's a fantastic time to build software and it's amazing what these tools can do.
This is just the beginning of course.
What how old is like these tools like Cursor and these tools they're like two years old, if not right.
And the trajectory, how we've changed how we work with these tools are fantastic.
They're so fast.
And we are definitely seeing a world where.
And I envision a world at least it's a bit of tangential but where every engineer that I have, we'll have five 10 agents working for them.
The way they become a supervisor of these agents rather than ICs per se, that's something that you have an agent for security.
You have an agent for ux.
Well, agent for design.
And they will combine together and work as a team essentially.
And then an engineer will actually supervise them.
That's the way.
I mean.
Yeah, well, I guess it is.
But like it's structured vibe coding.
Yeah.
Perhaps vibe coded with guardrails.
Yeah.
I think it's interesting because we'll see a lot of these capabilities.
I mean we see it now with services and APIs.
Right.
It's just the next level of that.
Yes.
But at scale and because everything will be so small and purpose built, we'll use more of these things to do bigger and better things.
Yeah.
And the engineer kind of picking and choosing and guiding and orchestrating to achieve something that is pretty cool, I would imagine.
I mean I expect throughput and output of engineers to like 10x.
Right.
Every engineer will 10x their output because all the busy work is there.
They become architects.
So they just.
Here are the big picture we need to accomplish from a business logic perspective.
Don't really care about the small details whilst having other agents to do code audits and security audits and making sure that no silly mistakes are being done there.
Like you don't have xss and you have like other silly security mistakes that these LMS will happily do for you because they solve the problem as quick as possible.
Right?
Yeah.
So that whole.
This might be a rabbit hole, but anyway, the whole development life cycle, perhaps there's a way to bring in some checks and balances where you're using multiple things to validate and check and test.
But not only that, they're also fantastic to refactor legacy code.
Right.
Because that's in the enterprise world in particular, the enterprise do not live in the JavaScript world where every framework has a three month life cycle.
Right.
After three months you have to rewrite everything because it's not cool anymore.
These enterprise applications, they have a 15, 20 year life cycle.
Rewriting that is not a trivial matter.
Right.
It's a lot of busy work.
But these tools, resilience is paramount.
Yeah, exactly.
Right.
So.
But these tools can help with that.
The refactoring and update.
So I think that's the life cycle there.
And I hope the world is moving towards a more longevity framework and thinking of software and life cycle of.
Let's not just fix this right now with a single JavaScript update.
Just picking on JavaScript world because the JavaScript world tends to be the one where things churn quickest.
Right.
But so I think that's hopefully what we'll see here with more people thinking more about longer life cycles.
So I want to make one more comment on this and you can chime in, of course, but kind of the guardrails thing.
The other thing I pulled from this past few days is don't necessarily chase this new world and forget that you do have legacy stuff.
And so there was, I heard a few times, don't forget the basics.
Right.
Kind of along the guardrails thing.
Yes, yes.
And I think it wasn't in the context of while you're doing AI, don't forget the basis.
But I think it's important.
But it's.
Don't at the.
Don't take investments to secure AI and forget that you didn't get approval for budget to segment your network.
It's still flat or whatever.
Right?
Yeah.
Right.
So I think there's a message there for CISOs to say don't forget your real role.
Yeah.
In protecting the business, not just the next thing that's coming.
So sprinkling AL on garbage in, garbage out.
The end of the day.
Right.
If sprinkling AI on garbage is still garbage.
Right.
So you still need to do the fundamentals.
Right.
And be guardrails on the network or be guardrails in your software.
There.
There's still guardrails.
Right.
Doing new LMS might help you solve for those problems, but you as an architect must think still know what you're solving for and those must be business objectives that you're solving for.
More so than sprinkling the latest cool tool about.
Right?
Exactly.
We easily get.
We easily get caught up in hype cycles.
I know.
And it's important to take a step back to your point.
It's just like what are we actually trying to solve for?
And I think that's where we need to go back to basics in many ways.
Exactly.
So a lot of the time talks here around research, findings of vulnerabilities, findings of flaws and business logic, finding of flaws in application, whatever it is.
And even culture, even how we manage our teams gets even deeper.
Oh yeah.
When you go to defcon.
So tell me what you hope to see there.
Is it going to be all AI in there too?
Because I've read villages with the aerospace village, ics, I mean, which is a lot of hardware.
I have a software for social engineering and lock picking.
I mean that.
Because that's.
That's really, AI doesn't change that.
It makes like deep fakes and stuff like that easier.
But humans tend to always be the weakest link and like you can find vulnerabilities, that's fine.
But if you look at many of the attacks, the humans are the weakest link.
And to your point about culture, that's culture security is culture security software can help you mitigate that.
But training and culture is a DNA in the culture that you must get.
Right.
And it's very difficult, you're at school scale, but you need to get it in right early.
Right.
And I think that's why I love coming to DEFCON, because it really, it makes you challenge assumptions.
Yes.
And that's.
There are talks about hacking AI and hacking LLMs, jailbreaking, all that stuff you expect.
Right.
But I love the hacker mindset.
Yes.
And that's what like drinks me back to DEFCON.
It's just that lock picking is a good example.
Right.
It's just perception of security.
Locks are not secure.
Like anybody with a little bit of lock picking training can pick a lot of locks.
But we have the illusion that locks are secure being RFID lock in a hotel room or a lock at your home.
Like they're actually not that secure once you unpeel the onion.
Right.
And you see what's inside.
And that's what really gets me going back here.
It's just you go to talk, you're like, huh, Right.
Of course.
Why, at least it's an illusion.
Think about things differently based on that understanding.
That's it.
And it applies to everything.
And it's IoT security is another good example of that.
There are a lot of talk Defcon about IoT security.
It's something I've been passionate about for a long time.
I've been in the IoT space for a long time.
And IoT security is something that we haven't really.
It's always been crap.
Let's just call what it is.
Right?
It's again, a market failure.
Yes, very much so.
Again, it's a market failure.
Right.
No consumer will pay a subscription service for their smart devices.
So the security must be priced in somehow.
And that's the tricky part, Right.
And that's why putting my hat from screenly on the reality of the signage market is that much of the market is dominated by end of life Android players from China because they are cheapest, they get deployed, Google wash their hands because like, well, it's end of life.
We already told you this.
But there are no shortage of resellers out there that will happily sell you this stuff on the premise that it's secure, which in reality probably isn't.
Right.
So it security again, it's like one of those things like let's just fix it.
Like the Internet of shit has been around for too long.
Let's fix it.
Yeah.
And it touches, I mean touches every aspect.
So it gets a lot of attention Iot less ot a bit more.
But if you look at all of those, they touch pretty much everything from railroads to airlines to hotels and hospitality.
I mean I've been here where the fire alarm is going off, not because.
There'S a fire, somebody here close to death having fun.
Yeah.
I mean we're Vegas, right?
So one of my favorite anecdotes for IoT security is from Vegas.
Oh yeah.
And it's.
It was a story I don't know how many years ago.
It's quite a while.
The fish tank.
Yes, I love that story.
Right.
That story.
It's for those who haven't heard the story.
One of the casinos in here in Vegas got compromised because of a smart fish tank.
Somebody decided that they needed a smart fish tank in their casino.
They hooked up on the WI fi and if not mistaken, now attack vector was in the Bluetooth stack.
So they managed to hack the device over to the Bluetooth stack and then they could jump on the network.
So the same goes for everything IoT device.
Right?
It does.
IoT device itself may not be the target.
It's a stepping stone to the target and it can give you a persistent attack vector into the network.
And again, if these are end of life devices, which they often are, or devices with very little consideration of security in the first place.
This is good talk about this.
And like I know.
And it goes even for the compliance framework.
Right.
Like I was gonna write an op ed piece in one of the industry architectures about this.
People talk about SOC2, ISO and all these and HIPAA, all the security frameworks.
Right.
Here's the dirty secret for IoT device vendors.
You can pass all these compliance framework which a device is running Windows 95, I kid you not because none of them will actually keep check for this.
And every single or a lot of enterprise buyers will just tick the box.
Oh, they're compliant.
Compliance, tick box.
That's it.
So let's.
We need to have more savvy conversations.
Exactly.
So I think this is good shining the spotlight on this problem.
Really.
So that's why we're here.
That's why we're here.
That's why we come to.
Yeah.
And then for my audience, I think a lot of them know this already and for them it's about what's the new thing that's going to trigger me to think differently.
What's the new thing?
And oftentimes it's connected to new technologies that get deployed.
I mean, cloud, mobile, some of those things, people.
AI is the latest one and it's trying to stay on top of that change while keeping the business resilient, letting it grow, letting it innovate and kind of being part of that wave.
Yeah.
And yeah, hopefully these.
These talks and presentations give.
Yeah.
A lever.
Yeah.
Executives.
To actually say, but this is what we're seeing.
But for systems in particular.
Right.
It's signal to noise ratio.
That's a big problem.
Right, Exactly.
How can you figure out what.
Actually, you should devote your attention to this.
That's not a trailer problem.
And that's definitely somewhere AI can actually.
So I think coming back to a. Yeah.
There's always back there.
Always back to a. Yeah.
Victor, it's good to see you, man.
Likewise.
Catch up.
Catch up.
The next show.
We finally.
We finally made this happen.
We finally made it out.
We will definitely do more.
We see each other again.
I don't know where you're headed next.
Where am I heading next?
I'm not doing any conference in the next few months, so maybe the next year.
Next year.
There's rsa.
There's rsa.
Maybe I do rsa.
Oh, I. I submitted to CFP Black Hat Europe, which I think is in.
In December.
December, yeah.
So maybe.
Maybe I'll do that.
There's another Black Hat event called Sector okay.
In Toronto.
Okay, then.
Yeah.
There's always the OAS stuff.
Yes.
You know what I'm bummed about?
There is no SBOM-a-rama this year.
No, that's a conference CISA put together, which was.
I gave a remote talk last year, but I think they killed it this year because of the CISA restructuring.
Our good friend has moved on.
I think Allan Friedman has moved on.
I'm supposed to meet him sometime here.
Mr. Sbom himself.
Mr. SBOM himself.
He's doing a talk at DEFCON.
I saw him in passing and I couldn't stop him because I was recording he was here.
I know he's here.
I texted him.
I know he's here, but I haven't actually seen him yet.
But.
Yes, but that's a shame, obviously, that conference stopped.
But that was a great way for the industry to, like, compare notes and get together and just up the barn.
That's important.
I'll close my final thought in that.
We talked a lot about technology, research and risks.
And for me, ultimately, it's about what everybody's hearing.
In the background is tens of thousands of people walking by.
Yeah.
All getting together, thinking differently amongst themselves.
Sharing with each other.
Yes.
From what they heard on stage, what they're experiencing in their own world, be it personal or business or otherwise.
Oh, yeah, absolutely.
I mean, that's what we're here.
That's why we're here, and that's why challenge your assumptions.
That's it.
Perfect.
Thank you so much.
Awesome, brother.
Cheers.
Cheers, everybody.
Good.
Found an error or typo? File PR against this file or the transcript.