The Open Source Way

The Growing Importance of Software Bills of Materials (SBOM)

Nov 29, 2023

Max Mehl and Sebastian Wolf discuss the importance of Software Bills of Materials (SBOMs), including license compliance, export control restrictions, and risk management. They highlight the challenges faced by organizations in implementing SBOMs and the growing significance due to legal requirements and security reasons. The difference between SBOM and SPOD is also explored. Additionally, the podcast covers approaches to SBOM management, including proprietary solutions and open-source tools.

36:12

Creator website

Episode guests

guest_name

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Software Bills of Materials (SBOMs) are crucial for managing software components, ensuring legal compliance and addressing security vulnerabilities.

Open-source components play a vital role in SBOMs, helping organizations comply with licenses, improve open-source management, and guide investment decisions.

Deep dives

The Importance of S-Bombs in Managing Software Components

S-Bombs, or software bill of materials, are crucial for managing software components, particularly open-source components, in various products and services. By analyzing and clearing these components, organizations can ensure legal compliance and address security vulnerabilities. While S-Bombs are not a universal solution, they serve as a means to an end, providing insights into supply chain management and better open-source management. Collaboration and communication among stakeholders, including engineers and different parts of the organization, are essential for implementing S-Bombs effectively. Joining discussions in forums like the Open Source Security Foundation, SPDX, and CycloneDX can contribute to the development of S-Bombs standards and sharing best practices.

Introduction

3min

Understanding the Importance of Software Bills of Materials (SBOMs)

11min

Managing Risk and Communication with SBOMs

2min

Understanding the Difference Between SBOM and SPOD

2min

The Growing Importance of Software Bills of Materials (SBOMs)

11min

Approaches to SBOM Management

9min

In this episode, our host Karsten Hohage talks to Max Mehl and Sebastian Wolf about Software Bills of Materials or SBOMs. An SBOM is a detailed record of all components within a software application, including open-source libraries, third-party dependencies and licenses. Max and Sebastian discuss the importance of SBOMs as well as some challenges and unanswered questions of the state of the art. They also speak with Karsten about SBOMs within SAP and Deutsche Bahn and the importance of SBOMs when it comes to open source.

Guests:

Max Mehl

Max has been committed to free and open-source software for many years. He is responsible for all aspects of open source at DB Systel. In this role, he supports Deutsche Bahn in using and contributing to open source professionally. He previously worked for the Free Software Foundation Europe (FSFE), where he coordinated initiatives such as REUSE and “Public Money? Public Code!”. He is a board member of FSFE and F-Droid and is involved in several projects as a maintainer.

GitHub: https://github.com/mxmehl
Mastodon: https://mastodon.social/@mxmehl
LinkedIn: https://www.linkedin.com/in/mxmehl/
Twitter: https://twitter.com/mxmehl
Blog: https://mehl.mx/blog/
Website: https://mehl.mx/

Sebastian Wolf

Sebastian is a development architect and has worked for the SAP OSPO since the beginning of 2020. He first joined SAP in 2003 as a student and has since worked in several development positions at, for example, SAP SRM, ABAP Development Tools, the SAP Community Network, and Central Architecture. He was engaged at the Corona-Warn-App project as a community manager from the very beginning and is now coordinating open-source consumption topics in the SAP OSPO.