Why “Dynamic SBOM” is a Misconception

This follows my recent posts on SBOM tooling and SBOM updates. I keep reading that publishers should strive for something called “Dynamic SBOM” where a tool continuously updates an SBOM per Product or Component that they produce. However, that is not how the transparency system should work. SBOMs should be scoped to a specific release… Continue reading Why “Dynamic SBOM” is a Misconception

ReARM Now Supports Transparency Exchange API

Reliza just announced ReARM support for Transparency Exchange API (TEA) Beta 1. Read details here. I believe this is world first implementation. This is a big milestone for me as I was involved in TEA creation for the past year almost since its inception. The TEA is an effort to create common approach of how… Continue reading ReARM Now Supports Transparency Exchange API

Why New Generation of SBOM Tools Matters

As a preface for what I mean by old generation tooling, here is a screenshot from Semgrep documentation: Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository. To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single… Continue reading Why New Generation of SBOM Tools Matters

Practical Guide to NTIA Compliant SBOM

In this post I will describe a specific example of how we can generate an SBOM compliant to NTIA minimum specification. I will go over existing tooling, real-world issues and how to work around them. I Problem Statement The document by NTIA outlining minimum SBOM elements was published in 2021. Still, it is a challenge… Continue reading Practical Guide to NTIA Compliant SBOM

SBOMs to xBOMs to Transparency

Here is a recording of my talk at OWASP Ottawa: Slides available here: https://www.slideshare.net/slideshow/from-sboms-to-xboms-to-transparency-pavel-shukhman-at-owasp-ottawa-on-2025-03-19/277683431

3 Dimensions of Versioning Problem

The versioning problem was significant part of my work for the last 6 years. During that time we wrote a versioning library used for automatic bump of versioning of various schemas. On several occasions I was doing talks and materials on versioning, including my blog post on combinatorial explosion and another one on minor component… Continue reading 3 Dimensions of Versioning Problem