EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House's Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems.

Topics discussed:

• Steve's broadly encompassing definition of software supply chain security.
• How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response. 
• Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
• Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
• What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
• How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list.
• How machine learning may play a role in better understanding risk across the software supply chain.
• Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.