Episode 109: SBOMs and Project Health with Brittany Istenes

10 snips

May 1, 2025

Brittany Istenes, a FINOS Ambassador with expertise in open source compliance, joins Senior Data Scientist Cali Dolfi to explore crucial issues in software security. They discuss the alarming rise of malicious packages and the vital role of Software Bills of Materials (SBOMs) in safeguarding open source projects. The duo highlights challenges in standardizing SBOM formats and the necessity of assessing project health. They also provide practical steps organizations can take to mitigate risks and improve community engagement.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Rise of Malicious Open Source Packages

Malicious open source packages increased by 700% in two years, exposing software supply chains to attacks.
Only about 10% of 7 million yearly packages are actively maintained, making careful selection critical.

INSIGHT

SBOM Standardization Challenges

Lack of consensus on SBOM fields and formats hampers clear standardization.
Including upstream repository links in SBOMs enables better analysis of project health.

INSIGHT

Historical Purpose of SBOMs

SBOMs originated for license compliance to track obligations and copyrights.
They are akin to food labels, showing software ingredients and revealing potential "allergens" to companies.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 109

In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more!

[00:00:21] Our guests introduce themselves and their backgrounds.

[00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components.

[00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed.

[00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns.

[00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021).

[00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies.

[00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later.

[00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness.

[00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.”

[00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration.

[00:27:36] Cali shares Red Hat’s efforts to define what makes a project vulnerable and how it’s focused on detecting and sunsetting unmaintained dependencies.

[00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White.

[00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25.

Value Adds (Picks) of the week:

[00:36:08] Georg’s pick is building a platform for his dog to look out the window.
[00:37:06] Brittany’s pick is spending time with Georg and Cali.
[00:38:12] Cali’s pick is her great support system since having ACL surgery.

*Panelist: *
Georg Link

Guests:

Cali Dolfi

Brittany Istenes

Links:

CHAOSS

CHAOSS Project X

CHAOSScast Podcast

podcast@chaoss.community

Georg Link Website

Britany Istenes LinkedIn

Brittany Istenes GitHub