S3E29: Resilient Cyber Show w/Tom Alrich

In this episode of Resilient Cyber, Chris Hughes sits down with Tom Alrich, a thought leader in software supply chain security, to discuss the current state of software bills of materials (S-BOM), VEX (Vulnerability Exploitability Exchange), and the complexities of securing modern software ecosystems. Tom shares his deep insights into the challenges facing the adoption of S-BOMs and the operational hurdles for both software suppliers and consumers.

🔑 Key Highlights:

• S-BOM Overview: What is a Software Bill of Materials (S-BOM), and why is it crucial for software supply chain security?

• VEX Explained: The Vulnerability Exploitability Exchange (VEX) concept and its role in minimizing unnecessary vulnerability alerts.

• Adoption Challenges: Why end-users are not widely asking for S-BOMs and the obstacles preventing their operational use.

• Cloud S-BOMs: How the nature of cloud-native environments introduces new complexities in tracking software components.

• The Naming Problem: Challenges with CPE names and how emerging databases like OSS Index are helping bridge gaps in vulnerability tracking.

Join us to explore the future of software supply chain security and how the industry can overcome its biggest hurdles!