More Podcasts by InfoQ episodes
Published 13 Apr 2026
Duration: 00:37:43
Strengthening mobile app security beyond minimal standards, leveraging Software Bill of Materials (SBOM) to address supply chain risks under legislative mandates like U.S. Executive Orders and the EU's Cyber Resilience Act, and utilizing tools such as Cyclone DX and SPDX for dependency tracking, compliance, and mitigating supply chain attacks through improved tooling and practices like OIDC authentication.
Viktor Peterson, part of the CISA task force working on SBOM blueprints and co-founder of sbomify, explores the shifting landscape of software supply...
The text emphasizes the critical need for robust security in mobile applications and supply chain integrity through Software Bill of Materials (SBOMs). It highlights that merely meeting basic security standards is insufficient to defend against evolving threats, particularly for Android and iOS apps, urging the adoption of comprehensive security solutions. SBOMs are presented as essential for addressing supply chain vulnerabilities, driven by regulatory mandates such as U.S. Executive Order 14028 and the European Unions Cyber Resilience Act (CRA), which require SBOMs for software sold to governments and internet-connected products. However, creating high-quality SBOMs remains complex, as developers often underestimate the workload, and regulatory interpretations vary across jurisdictions, complicating compliance.
Practical challenges include managing dependencies, hidden vulnerabilities (e.g., log4shell), and ensuring SBOMs are operational tools rather than mere compliance checkboxes. Modern package managers like Bun (JavaScript) and UV (Python) improve dependency tracking, while tools like Cyclone DX and SPDX generate SBOMs, though ecosystem-specific tools often outperform generic solutions. The text stresses the importance of reproducible builds, digital signatures, and audit trails to verify SBOM authenticity and integrity. Additionally, it warns of risks in relying on outdated tooling, exemplified by the Trivy security incident, where compromised credentials in pipelines led to breaches affecting LightNLM and the AQUA GitHub organization. Recommendations include transitioning to OpenID Connect authentication, using short-lived credentials, and pinning GitHub actions to hashes to mitigate such risks.
The discussion underscores that SBOMs are central to regulatory compliance, software trust frameworks, and proactive security management, requiring a shift from "checkbox" compliance to integrated, operational use. While heavy-handed legislation addresses systemic security failures, it also demands a balance between regulation and enabling developers to adopt best practices. The text concludes with actionable steps for organizations, emphasizing tooling within their ecosystem, quality assurance in SBOM generation, and alignment with emerging standards to navigate evolving compliance requirements.
25 May 2026 Chasing Efficient Java Development: From 1BRC to Developing Hardwood AI Natively
AI and architecture challenges, Java's evolving ecosystem with performance optimizations and legacy practices, columnar data formats like Parquet, dependency management, and balancing AI adoption with developer skill retention.
18 May 2026 Context is the Key to the Agentic Architecture Revolution: A Conversation with Baruch Sadogursky
AI adoption in architectural decision-making emphasizes trade-offs between efficiency and complexity, challenges of ambiguous requirements, context-driven engineering, frameworks like the Intent Integrity Kit for iterative clarity, architect roles in managing systems and stakeholder dynamics, and the need to balance AI capabilities with human oversight amid ethical and technical limitations.
11 May 2026 From Java EE to Quarkus and LLMs: Adam Biens Playbook for Boring, FutureProof Systems
A veteran Java developer highlights preferences for minimal dependencies, critiques enterprise Java's complexity, advocates for Quarkus' lightweight design over Spring, emphasizes Java EE standards, legacy BCE patterns, and Java's stability in AI/LLM integration and cloud challenges.
4 May 2026 Roq: Leveraging Quarkus to Build Static Sites at the Speed of Go
Java's resurgence is fueled by performance gains, modern frameworks like Quarkus, and native compilation, exemplified by Rooka lightweight static site generator leveraging Quarkus for dynamic rendering, Markdown content, and streamlined workflows, with future AI integration and open-source advancements.
27 Apr 2026 A Java Performance Quest: Taming Unsafe Code, Embracing Idiomatic Style & Debugging the Linux Kernel
Challenges in deploying AI from proof-of-concept to production highlight engineering gaps, with QuestDB's three-tier storage (real-time, query, archival) and Java/C++/Rust optimizations enabling scalable time-series data handling, though facing Java warmup, code generation, and hardware integration hurdles.