Viktor Peterson, co-founder of sbomify and CISA SBOM working group member, discusses the growing importance of Software Bills of Materials (SBOMs) in the context of the EU's Cyber Resilience Act (CRA) — described as a 'GDPR moment' for the industry. He argues SBOMs should be treated as operational tools rather than compliance chores, enabling automated security audits, license management, and CVE triage via VEX files. Key practices include generating SBOMs from high-quality lock files using ecosystem-specific tools, integrating generation into CI/CD pipelines with digital signing, and using the Transparency Exchange API (TEA) for vendor-neutral artefact discovery. The conversation also covers the recent Trivy compromise, where infostealers were embedded in releases, highlighting the need to pin dependencies to commit hashes and use short-lived OIDC credentials instead of long-lived tokens.
Table of contents
Sponsored by GuardsquareTranscriptSBOM Enforcing Legislation [ 02:24 ]Developers Should Care About SBOMs Too [ 05:51 ]SBOMs Might Seem Similar to Compliance Frameworks [ 08:00 ]How to Tackle the SBOM Generation Challenge [ 09:53 ]Start with the Inventory of Your Direct Dependencies [ 14:32 ]SBOM Generation Should Be Part of the Pipeline [ 16:27 ]TEA Provides In-Depth Build Information to Consumers [ 21:31 ]What Would Regulators Check For? [ 25:41 ]What Tools to Use? [ 28:06 ]SBOMs Might Be First-Class Citizens in the Future [ 31:12 ]Even Security Tools Can Be Compromised [ 34:39 ]About the AuthorSort: