More Open Source Security episodes

AIBOM, CBOM, and HBOM with Allan Friedman thumbnail

AIBOM, CBOM, and HBOM with Allan Friedman

Published 29 Jun 2026

Duration: 34:38

The evolution of Software Bill of Materials (SBOM) beyond manufacturing into cryptographic, hardware, and AI domains faces challenges in unified integration, compliance, tooling, and dependency tracking, requiring open-source collaboration, standardized frameworks, and adaptive policies to meet industry demands in procurement and risk management.

Episode Description

Josh chats with Allan Friedman about all things Bill of Materials. Allan did a ton of work to help turn SBOM into what it is today. He has many though...

Overview

The podcast explores the evolution and challenges of Software Bill of Materials (SBOM) frameworks, emphasizing their role in enhancing transparency and security across software, hardware, and cryptographic domains. It introduces the "Omnibomb" concepta unified system engineering approach to integrating multiple "bombs" (SBOM, hardware BOM, cryptographic BOM, etc.)while acknowledging debates over whether these domains should remain separate or merged. Key use cases include cryptographic standards like FIPS 140-2, IoT devices requiring coordinated BOM tracking, and cross-architecture software development. Challenges highlighted include balancing integration complexity with practicality, defining minimum compliance requirements, and addressing gaps in structured data formats for risk analysis, such as the inadequacy of unstructured metadata. The discussion also critiques the underdevelopment of SBOM adoption in security tools and procurement practices, despite growing industry demand.

The podcast further addresses the impact of rapid technological advancements, such as AI-driven code generation, which complicates traditional SBOM tracking by blurring lines of origin and dependency. It critiques current open-source licensing practices, emphasizing the need for clearer standards and tooling (e.g., SPDX, CycloneDX) to manage compliance risks. Regulatory and policy challenges are examined, including the difficulty of aligning evolving technical standards with static legal frameworks and the need for phased, incremental approaches to AI transparency. The role of community-driven open-source projects in shaping SBOM and AI transparency frameworks is stressed, along with calls to embed SBOM requirements into contracts and procurement to enforce accountability. Finally, it underscores the importance of structured, modular systems for AI and infrastructure transparency, akin to SBOM, while advocating for targeted compliance efforts over broad, simultaneous reforms.

What If

  • What if you created an AI transparency tool that automatically maps AI-generated code dependencies to SBOM standards?

    • Move: Develop a prototype tool that parses AI-generated code snippets, identifies external libraries (e.g., cURL), and formats their provenance into SBOM-compatible structures like SPDX or CycloneDX.
    • Why Now?: Rapid adoption of AI agents in development raises urgent compliance risks, and SBOM adoption is growing in contracts and procurement. Early tooling could position you as a niche leader in this space.
    • Expected Upside: Youd address a critical gap in AI/SBOM integration, attract enterprise clients needing compliance with emerging regulations, and provide a practical solution for tracking AI dependencies.
  • What if you contributed a modular SBOM parser to an open-source project like SPDX or Cyclone DX to streamline integration with AI transparency tools?

    • Move: Fork an existing SBOM parser, extend its capabilities to handle structured AI transparency data (e.g., model provenance, training data sources), and submit a pull request to the core project.
    • Why Now?: Open-source communities like SPDX prioritize collaborative, standards-driven solutions, and gaps in AI/SBOM compatibility are under-addressed. Your contribution could directly influence tooling evolution.
    • Expected Upside: Youd gain credibility in developer and policy circles, reduce your own implementation costs via shared tooling, and align with industry trends favoring open standards.
  • What if you designed a phased Omnibomb framework for hardware-software-cryptographic synergy in SaaS products?

    • Move: Start with a "crawl" phase by mapping SaaS product boundaries (e.g., load balancers, backend libraries) using existing SBOM tools. Then, incrementally layer in cryptographic and hardware dependencies (e.g., FIPS-compliant modules).
    • Why Now?: SaaS compliance challenges are unresolved, and regulators are pushing for stricter infrastructure transparency. Phased implementation avoids overcomplication while meeting immediate compliance needs.
    • Expected Upside: Youd create a scalable framework for SaaS providers, differentiate yourself in the compliance market, and provide a blueprint for integrating Omnibomb principles into dynamic systems.

Takeaway

  • Define and document minimum SBOM requirements for your products, aligning with evolving standards like CISAs or NIST SP 800-140, to ensure compliance without overcomplicating implementation.
  • Engage directly with open-source communities (e.g., SPDX, Cyclone DX, OpenSSF) to validate and contribute to SBOM tooling, ensuring compatibility with your workflows and reducing reliance on proprietary solutions.
  • Integrate SBOM data into your vulnerability management tools and procurement processes using structured formats like SPDX or Cyclone DX to enable automated risk analysis and dependency tracking.
  • Adopt phased modularity in AI development by tracking AI model provenance, data sources, and fine-tuning processes using structured data formats, similar to SBOM practices for hardware/software components.
  • Include SBOM-related clauses in client contracts to enforce transparency and accountability, ensuring third-party vendors or SaaS providers disclose dependencies and compliance requirements.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes