Viktor Pettersson, co-founder of sbomify and CISA SBOM contributor, helps teams navigate SBOMs, CRA compliance, and supply chain safety. He discusses why SBOMs are operational tools not just paperwork. He covers CI generation and signing, TEA for vendor-neutral discovery, ecosystem-specific tooling, and lessons from the Trivy compromise.
37:43
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
CRA Will Make SBOMs Mandatory For Interneted Products
The EU Cyber Resilience Act will force most products that connect to the internet to provide SBOMs, effectively creating a GDPR-like regulatory moment for software supply chains.
Viktor Pettersson warns noncompliance can block products from the European market, a stronger incentive than fines and likely unknown to many vendors.
volunteer_activism ADVICE
Use SBOMs As An Operational Security Tool
Use SBOMs operationally, not just for compliance, to run automated security and license audits and to diff releases over time.
Leverage VEX statements to mark CVEs as non-impacting when specific functions aren't used, avoiding blind upgrade churn.
volunteer_activism ADVICE
Capture Dependencies From CI Logs And Better Package Managers
Start your SBOM journey by capturing high-quality build log files in CI so you have an accurate inventory of application dependencies.
Migrate to modern package managers (e.g., pipenv/poetry, bun/uvm) to generate better lockfiles and transitive dependency capture.
Get the Snipd Podcast app to discover more snips from this episode
Viktor Peterson, part of the CISA task force working on SBOM blueprints and co-founder of sbomify, explores the shifting landscape of software supply chain security as the EU's Cyber Resilience Act (CRA) comes into force, a "GDPR moment" for the industry. Beyond mere compliance, Peterson argues that SBOMs provide significant operational value as tools for automated security audits and license management, provided they are generated using ecosystem-specific tools rather than generic scanners. He also points to providing critical security insights into the risks of weaponised code, citing recent incidents where security tools themselves became attack vectors, and emphasises the need for vendor-neutral discovery mechanisms like the Transparency Exchange API (TEA) to secure the software lifecycle.
Read a transcript of this interview: https://bit.ly/41eFG34
Subscribe to the Software Architects’ Newsletter for your monthly guide to the essential news and experience from industry peers on emerging patterns and technologies:
https://www.infoq.com/software-architects-newsletter
Upcoming Events:
QCon AI Boston 2026 (June 1-2, 2026)
Learn how real teams are accelerating the entire software lifecycle with AI.
https://boston.qcon.ai
QCon San Francisco 2026 (November 16-20, 2026)
https://qconsf.com/
The InfoQ Podcasts:
Weekly inspiration to drive innovation and build great teams from senior software leaders. Listen to all our podcasts and read interview transcripts:
- The InfoQ Podcast https://www.infoq.com/podcasts/
- Engineering Culture Podcast by InfoQ https://www.infoq.com/podcasts/#engineering_culture
- Generally AI: https://www.infoq.com/generally-ai-podcast/
Follow InfoQ:
- Mastodon: https://techhub.social/@infoq
- X: https://x.com/InfoQ?from=@
- LinkedIn: https://www.linkedin.com/company/infoq/
- Facebook: https://www.facebook.com/InfoQdotcom#
- Instagram: https://www.instagram.com/infoqdotcom/?hl=en
- Youtube: https://www.youtube.com/infoq
- Bluesky: https://bsky.app/profile/infoq.com
Write for InfoQ: Learn and share the changes and innovations in professional software development.
- Join a community of experts.
- Increase your visibility.
- Grow your career.
https://www.infoq.com/write-for-infoq
The InfoQ Podcast