For those unaware, what exactly is an SBOM, and why is it so important?
One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel?
We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be used to reduce risk?
What would you say are the top 3 things that organizations could do today to be aware of in regards to software supply chain attacks?
In regards to SBOMs for complex environments such as SaaS where you have several parties involved and interdependencies, how do you see the SBOM evolving in that space?
How do you see organizations operationalizing SBOM's from a Cyber practitioner perspective? How will it fit in to a robust cybersecurity program?
S2E4: Dr. Allan Friedman - CISA - SBOM and the Art of Possible