Why New Generation of SBOM Tools Matters

As a preface for what I mean by old generation tooling, here is a screenshot from Semgrep documentation: Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository. To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single… Continue reading Why New Generation of SBOM Tools Matters

Practical Guide to NTIA Compliant SBOM

In this post I will describe a specific example of how we can generate an SBOM compliant to NTIA minimum specification. I will go over existing tooling, real-world issues and how to work around them. I Problem Statement The document by NTIA outlining minimum SBOM elements was published in 2021. Still, it is a challenge… Continue reading Practical Guide to NTIA Compliant SBOM

SBOMs to xBOMs to Transparency

Here is a recording of my talk at OWASP Ottawa: Slides available here: https://www.slideshare.net/slideshow/from-sboms-to-xboms-to-transparency-pavel-shukhman-at-owasp-ottawa-on-2025-03-19/277683431

3 Dimensions of Versioning Problem

The versioning problem was significant part of my work for the last 6 years. During that time we wrote a versioning library used for automatic bump of versioning of various schemas. On several occasions I was doing talks and materials on versioning, including my blog post on combinatorial explosion and another one on minor component… Continue reading 3 Dimensions of Versioning Problem

Some Security Risks of Using Push-Based CD

Surprisingly I’m recently not finding a strong majority of voices saying that Push-Based Continuous Delivery should never be used due to security concerns. So I feel there is a need to clarify risks more explicitly. First of all here is what I mean by Push-Based CD. Simply, this is the approach, where SSH-key or some… Continue reading Some Security Risks of Using Push-Based CD

Storing Arbitrary Values in Java Keystore

Java Keystore is a nice tool, but it has a very limited number of inputs it supports natively. Mainly those are pem certificates and corresponding keys. Fortunately, there is a way to store arbitrary data using keytool’s -importpass command and base64 encoding. Here is how to achieve that. Let’s imagine we have some secret.bin file,… Continue reading Storing Arbitrary Values in Java Keystore