Finite State Blog

What to Do with an SBOM: Dr. George Shea, Chief Technologist at FDD

Written by Ryan Owen | Feb 10, 2023 2:26:21 PM

How does SBOM offer absolutely critical visibility into the supply chain vulnerabilities of existing software deployments?  

What is the source of the push for SBOM's adoption and use and for regulators' slow walk toward requiring SBOM as a cybersecurity practice? 

Once you've adopted SBOM, what are some critical next-step SBOM considerations you should keep in mind? Hint: (SBOM formats, required fields, ensuring SBOM reporting integrity, and building a mechanism to follow through on SBOM results should be on this list.) 

On this episode of the IoT: The Internet of Threats podcast, we met with Dr. George Shea, Chief Technologist at the Foundation for Defense of Democracies to discuss:

  • How the SBOM offers critical visibility into the supply chain vulnerabilities of existing software deployments
  • The source of the push for SBOM's adoption and use: government or private sector? 
  • Regulators' slow walk toward requiring SBOM as a cybersecurity practice
  • The thorny questions that come with adopting SBOM: how to generate, deploy, and use an SBOM
  • Critical next-step SBOM considerations such as formats, required fields, ensuring its reporting integrity, and building a mechanism to follow through on its results

Check out the discussion on this latest episode of IoT: The Internet of Threats podcast. 


How Do You Start Using SBOMs?

The SBOM, as a concept, certainly has gained traction as it has evolved into a critical cybersecurity tool. However, many would-be SBOM adopters find that getting value from SBOM needs more than just a snap of the fingers before they can unlock better cybersecurity and mitigate supply chain threats. 

How do you approach SBOM? How do you actually derive value from an SBOM once you've got one? 

On this episode of the IoT: The Internet of Threats podcast, Dr. George Shea, Chief Technologist at FDD, explains just what the heck you're supposed to do with SBOMs.

Will SBOMs Become Law?

As regulators continue their slow walk toward requiring SBOM and other cybersecurity tools and practices through measures such as EO 14028, the NDAA, and the FDA Draft Guidance, what will the future hold for SBOM regulation? 

Will product manufacturers be required to supply an SBOM to provide transparency into their products and help identify emerging vulnerabilities? 

Tune in as Dr. George Shea, Chief Technologist at FDD discusses the source of the push for SBOM's adoption and use and where that impetus is coming from.

Guest Details

Dr. George Shea, Chief Technologist at FDD, has made vast contributions in SBOM research and thought leadership and to the wider discussion of how to advance cybersecurity. Prior to joining FDD, George served as a Chief Engineer at MITRE, leading initiatives to improve the technical integrity and quality of the products and deliverables of the IT services and consulting leader. She holds a Doctor of Computer Science degree from Colorado Technical University and an MS in Computer and Information Sciences and Support Services from Regis University.

Episode Links

All episodes of Finite State’s “The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts.

Listen to this episode in its entirety below!