The Evolution of SBOMs at OwnersBox

I gave a presentation at the CISA SBOM Community Weekly Meeting yesterday where I shared how we approached SBOMs in my latest role at OwnersBox. SBOM adoption here was driven by a real need rather than just to check a box on some regulatory/compliance framework requirement (these checkboxes later became an added benefit).

In my presentation I covered:

😱 The real-world incident that triggered our SBOM journey

🛠️ How we built and automated SBOMs into our pipelines

📝 Custom tooling to turn raw SBOMs into actionable insights

✨ The impact on risk, compliance and development culture

🧐 Where I see SBOMs going next - towards secure and trustable software transparency

During the presentation, I also shared a fun (and slightly chaotic) story from the technical due diligence process during the acquisition of the first startup I worked at.

Back then, SBOMs didn’t exist. So I had to manually compile a list of all third-party software we were using. And since the team wasn’t yet aware of the potential acquisition, I had to do it somewhat quietly.

What followed was a week or two of digging through git repos and build files, piecing everything together by hand. 🤯

It really drove home how far we’ve come and how valuable structured, automated SBOMs are today.

I hope it helps others working to operationalize software transparency in their organizations and highlights that the real value goes far beyond simply checking a box for regulatory or compliance framework requirements.

Thanks again Allan Friedman, PhD for the invite and continuing to bring the SBOM community together and promoting software transparency.

👉💬 Curious to see the full deck? Comment “SBOM” and I’ll DM you the Google Slides link.

#SBOM #SoftwareSupplyChain #DevSecOps #AppSec #CyberSecurity #CISA #Startup #SoftwareSecurity #OpenSourceSecurity #SecurityEngineering #SoftwareTransparency #SecureByDesign #SupplyChainSecurity