I recorded a video showing new batch search for SBOM components functionality in ReARM:
Category: Security
My Talk on TEA at KubeCon NA 2025 Pre-event
I was giving another talk on Transparency Exchange API at Open Source SecurityCon 2025 in Atlanta on November 10: “Transparency Exchange API: Where To Find Product SBOM?” The YouTube recording is now live and available below. You can also find slides here.
ReARM Demo Video for SecTor 2025 Arsenal
SBOM Diffing: Next Frontier for Supply Chain Security
I’ve been thinking about continuous SBOM diffing for a while, but the subject appears to be even more important than I initially thought. Yesterday (November 11, 2025) I attended SBOMit workshop which was a part of KubeCon NA 2025. SBOMit is an OpenSSF project which deals with SBOM correctness, validity and verification. Specifically, the demo… Continue reading SBOM Diffing: Next Frontier for Supply Chain Security
My Talk on TEA at BSides Toronto
Below is YouTube recording of my talk “Transparency Exchange API: How We Will Share xBOMs” given on October 4th at BSides Toronto. Slides are available here.
npm Has Become a Russian Roulette
npmjs.org is arguably the world’s largest package repository. In 2022 it was estimated to serve over 43 billion downloads every week. I found no recent estimates, but the number should be much higher today. In the past several weeks, there have been 3 identified large-scale phishing-malware attacks on the npmjs.org: Playing Russian Roulette The common… Continue reading npm Has Become a Russian Roulette
SBOM Developments for July 2025
This post is mostly for myself just so I don’t have to keep a lot of browser tabs open. There are many projects aimed at developing SBOM ecosystem, but no aggregation of those – as the field is being actively developed. So here is a list of active links in the field:
Combinatorial Explosion of Versions 5 Years Later
Five years ago, I started working on the problem of combinatorial explosion of versions described in my earlier blog post. Today I would like to summarize the journey of these five years and where we are headed next in this research. I Scope of Versioning Problem Five years ago, I was very invested in the… Continue reading Combinatorial Explosion of Versions 5 Years Later
Why “Dynamic SBOM” is a Misconception
This follows my recent posts on SBOM tooling and SBOM updates. I keep reading that publishers should strive for something called “Dynamic SBOM” where a tool continuously updates an SBOM per Product or Component that they produce. However, that is not how the transparency system should work. SBOMs should be scoped to a specific release… Continue reading Why “Dynamic SBOM” is a Misconception
ReARM Now Supports Transparency Exchange API
Reliza just announced ReARM support for Transparency Exchange API (TEA) Beta 1. Read details here. I believe this is world first implementation. This is a big milestone for me as I was involved in TEA creation for the past year almost since its inception. The TEA is an effort to create common approach of how… Continue reading ReARM Now Supports Transparency Exchange API