Posts

🔀 Convergence in SBOM Signing
🔀 Convergence in SBOM Signing

“Don’t roll your own crypto.” It’s the first rule of security engineering, and it turns out it’s ...

An Interesting and Useful Visualization for Security Teams
An Interesting and Useful Visualization for Security Teams

Zero Day Clock: https://zerodayclock.com/ The Zero Day Clock tracks how quickly ...

The SBOM Storage Tax: Optimization at Scale
The SBOM Storage Tax: Optimization at Scale

Following my last post on the “Storage Tax” of binary blob signing, I received some insightful feedback from the co...

The SBOM Signature 'Storage Tax': Money Talks 💰📉
The SBOM Signature 'Storage Tax': Money Talks 💰📉

Over the last few weeks, I’ve been deep in the weeds of technical best practices for signing SBOMs. I’ve discussed ...

🚨 Call for Feedback: A Standardized Approach to SBOM Signing
🚨 Call for Feedback: A Standardized Approach to SBOM Signing

The new benchmark by which all SBOM signing and verification tools will be judged. This Frida...

Implementing Data-Aware Signing
Implementing Data-Aware Signing

I recently argued that with SBOMs we need to stop signing the “container” (the file) and start signing the “c...