The New Stack Podcast22 Jun 2023

A Good SBOM is Hard to Find

The concept of a software bill of materials (SBOM) aims to provide consumers with information about the components inside a software, enabling better assessment of potential security issues. Justin Hutchings, Senior Director of Product Management at GitHub, emphasizes the importance of SBOMs and their potential to facilitate patching without relying solely on the vendor. He spoke with Alex Williams in this episode of The New Stack Makers.

Creating a comprehensive SBOM poses challenges. Each software package is unique, such as an Android application that combines the developer's code with numerous open-source dependencies obtained through Maven packages. The SBOM should ideally serve as a machine-readable inventory of all these dependencies, enabling developers to evaluate their security.

Hutchings notes that many SBOMs fall short in being fully machine-readable, and the vulnerability landscape is even more problematic. To achieve the standards Hutchings envisions, several actions are necessary. For instance, certain programming languages make it difficult to inspect build contents, while the lack of a centralized distribution point for dependencies in languages like C and C++ complicates the enumeration and standardization of machine-readable names and versions. Addressing these issues across the entire software supply chain is imperative.

SBOMs hold potential for enhancing software security, but the current state of implementation and machine-readability needs improvement, particularly concerning diverse programming languages and dependency management.

Learn more at thenewstack.io

Creating a 'Minimum Elements' SBOM Document in 5 Minutes

Enhance Your SBOM Success with SLSA

How to Create a Software Bill of Materials

Denne episoden er hentet fra en åpen RSS-feed og er ikke publisert av Podme. Den kan derfor inneholde annonser.

Episoder(300)

Why MotherDuck refuses to fork DuckDB

At a recent MCP developer summit, The New Stack spoke with Till Döhmen, AI lead atMotherDuck, about the company’s growing role in the evolving DuckDB ecosystem. Backed by investors includingTomasz Tun...

27 Mai 27min

JetBrains is selling independence as the rest of AI coding picks sides

JetBrains is positioning itself as the last major independent AI coding-tool vendor in a market increasingly tied to hyperscalers and foundation model labs. Speaking at Google Cloud Next, JetBrains VP...

21 Mai 26min

Why Block handed Goose to the Linux Foundation

What began as an internal developer tool atBlockhas evolved into a broader open-source initiative with industry backing. Goose, Block’s AI coding agent, followed a path similar to Amazon’s transformat...

15 Mai 19min

Fivetran's CPO: closed data stacks won't survive the agent era

At Google Cloud Next 2026, Fivetran Chief Product Officer Anjan Kundavaram argued that enterprise data systems are unprepared for the scale of AI-driven analytics. Unlike humans, AI agents can generat...

13 Mai 22min

The new FinOps problem isn't cloud bills

At Google Cloud Next 2026, Finout co-founder and CEO Roi Ravhon and Google Cloud FinOps lead Pathik Sharma discussed how FinOps is rapidly evolving for the AI era. Ravhon argued that while cloud FinOp...

12 Mai 28min

How Microsoft is governing thousands of Kubernetes clusters without manual intervention

Managing Kubernetes at fleet scale introduces significant complexity, especially as organizations expand from a few clusters to hundreds or thousands across cloud, on-premises, and edge environments. ...

7 Mai 25min

Why long-running AI agents break on HTTP and how Ably is fixing it

In this episode ofThe New Stack Makers, Matthew O’Riordan, CEO of Ably, explains how infrastructure originally built for human collaboration is now well-suited for long-running AI agents. While Ably i...

6 Mai 31min

Why the Linux Foundation adopted MCP, with Jim Zemlin and Mazin Gilbert

Agentic AI is advancing rapidly, with open-source projects racing to keep pace with real-world deployment. To accelerate progress, the Linux Foundation consolidated key technologies—Model Context Prot...

6 Mai 32min