Third Party Therapy Third Party Therapy - Charlie Jones - Dropping the S-BOM - a new approach to third party software assessment
Feb 10, 2025
Charlie Jones, Director of Product Management at Reversing Labs with a background in supply chain security, talks about static binary analysis as a fresh way to assess software. He covers why commercial software evades classic controls, how to get and test binaries pre‑purchase, limitations of SBOMs, and the regulatory pressures reshaping software supply chain practices.
AI Snips
Chapters
Transcript
Episode notes
Boots On The Ground Sparked Focus On Software Risk
- Charlie Jones began his third‑party risk career doing weekly, on‑site cybersecurity assessments for a Fortune 100 bank.
- That boots‑on‑the‑ground work revealed many supplier types and led him to focus on software vendor risk after incidents like SolarWinds and CodeCov.
Questionnaires Fail To Catch Most Software Risks
- Questionnaires are losing assurance because they rely entirely on vendor self‑reporting and don't scale to diverse supplier types.
- Gartner found 83% of cyber teams discover risks in vendor software only after deployment, showing preventative controls are failing.
Large Packages Bypass Traditional Scanners
- Legacy endpoint scanners were designed for single files and often skip modern apps because of size limits, letting bloated malicious packages bypass detection.
- Commercial software can be tens of gigabytes, so attackers deliberately bloat packages knowing many scanners stop at ~100MB.