Slides available here.
Category: Security
How to Use ReARM to Check if Shai-Hulud 2.0 Infiltrated Your Dependencies (video)
I recorded a video showing new batch search for SBOM components functionality in ReARM:
My Talk on TEA at KubeCon NA 2025 Pre-event
I was giving another talk on Transparency Exchange API at Open Source SecurityCon 2025 in Atlanta on November 10: “Transparency Exchange API: Where To Find Product SBOM?” The YouTube recording is now live and available below. You can also find slides here.
ReARM Demo Video for SecTor 2025 Arsenal
SBOM Diffing: Next Frontier for Supply Chain Security
I’ve been thinking about continuous SBOM diffing for a while, but the subject appears to be even more important than I initially thought. Yesterday (November 11, 2025) I attended SBOMit workshop which was a part of KubeCon NA 2025. SBOMit is an OpenSSF project which deals with SBOM correctness, validity and verification. Specifically, the demo… Continue reading SBOM Diffing: Next Frontier for Supply Chain Security
My Talk on TEA at BSides Toronto
Below is YouTube recording of my talk “Transparency Exchange API: How We Will Share xBOMs” given on October 4th at BSides Toronto. Slides are available here.
npm Has Become a Russian Roulette
npmjs.org is arguably the world’s largest package repository. In 2022 it was estimated to serve over 43 billion downloads every week. I found no recent estimates, but the number should be much higher today. In the past several weeks, there have been 3 identified large-scale phishing-malware attacks on the npmjs.org: Playing Russian Roulette The common… Continue reading npm Has Become a Russian Roulette
SBOM Developments for July 2025
This post is mostly for myself just so I don’t have to keep a lot of browser tabs open. There are many projects aimed at developing SBOM ecosystem, but no aggregation of those – as the field is being actively developed. So here is a list of active links in the field:
Combinatorial Explosion of Versions 5 Years Later
Five years ago, I started working on the problem of combinatorial explosion of versions described in my earlier blog post. Today I would like to summarize the journey of these five years and where we are headed next in this research. I Scope of Versioning Problem Five years ago, I was very invested in the… Continue reading Combinatorial Explosion of Versions 5 Years Later
Why “Dynamic SBOM” is a Misconception
This follows my recent posts on SBOM tooling and SBOM updates. I keep reading that publishers should strive for something called “Dynamic SBOM” where a tool continuously updates an SBOM per Product or Component that they produce. However, that is not how the transparency system should work. SBOMs should be scoped to a specific release… Continue reading Why “Dynamic SBOM” is a Misconception