EP116 SBOMs: A Step Towards a More Secure Software Supply Chain

Topics covered:

• Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader?
• Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here?
• One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk?
• Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government? 
• What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source?
• How does Google prepare for EO internally; how do we use SBOM and other related tools?
• To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"?