SBOMs: are they a threat or a menace?
10-16, 11:50–12:20 (Europe/Luxembourg), Salle Europe

If you have not noticed the hype about ABOUT (Software Bill of Material) you must been living in a cave. They have been touted as the next best thing after sliced bread and the cure-it-all to all our security problems of the past many years. Join me to break through the hype and review the good, the bad and the ugly and determine if, how and when they may useful and when not.

SBOMs are discussed everywhere. What are they? How do you create one (using open source tools of course)? What do you do with one if you have it? How to break through the hype and ensure that they contain useful data? How can you use these for red team and blue team ops support?

I am a co-founder of SPDX, an active contributor to CycloneDX and the creator of Package URL (PURL) which is a standard to identify packages in these SBOMS as well VEX (Vulnerability Exploitability Exchange) specs such as CSAF and OpenVex. PURL are also used by many SCA tools and vulnerability databases as the key id to search for package vulnerabilities.

I am unwillingly part of the hype around SBOM, yet I am also uniquely positioned to deliver a constructive critique and help you cut through this hype so you get the essential inside information to decide what to do with SBOMs (or do nothing!)

See also: Slide presentation (1.3 MB)

I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at

I am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.

This speaker also appears in: