Improving The Trust In The Software Supply Chain

All Posts

A few weeks ago I was interviewed on the DevSec For Scale Podcast on the subject of securing the software supply chain.

The main topic covered was the SBOM – what is it, what is it for, and how to utilize it to increase your visibility, agility, and responsiveness in the face of a vulnerability.

The main ingredient I feel is missing from a lot of security schemes today is the check for integrity – between the final image or product and the SCM, as well as between packages and dependencies you intend to use, and what you’re actually using.

That ever-growing dependency tree is one of the reasons I strongly encourage everyone to use an SBOM in the first place.

I hope it’s as entertaining as it is educational.