The Everything Feed - All Packet Pushers Pods

PP087: Why SBOMs Are Cooler and More Useful Than You Think

Nov 18, 2025
Guest
Natalie Somersall
In this engaging discussion, DevSecOps expert Natalie Somersall shares her rich experience from Booz Allen Hamilton and GitHub, diving into the world of Software Bills of Materials (SBOMs). She explains how SBOMs serve as crucial inventories for software components, aiding in vulnerability detection and transparency. Natalie also addresses challenges around SBOM adoption and offers insights into their operational value. Additionally, she introduces VEX for enhancing vulnerability context and stresses the importance of collaboration across teams for effective SBOM management.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ADVICE

Generate SBOMs From Builds

  • Generate SBOMs from your build process to capture direct and transitive dependencies for reproducible builds.
  • Parse package manifests (requirements.txt, pyproject.toml) and package DBs to improve completeness.
INSIGHT

SBOMs Need Completeness And Mapping

  • SBOM usefulness depends on completeness and knowing where artifacts run in production.
  • Stored SBOM files are only valuable when normalized, linked to runtime locations, and kept current.
ANECDOTE

Log4j Showed SBOM Value

  • Natalie recounted the Log4j incident as a reminder why SBOMs matter for response speed.
  • She called Log4j an open-source security success because it was patched quickly, but discovery and deployment remained hard.
Get the Snipd Podcast app to discover more snips from this episode
Get the app