What happens when you gather a bunch of geeks and throw in “Software Supply Chain Security” as the topic of choice?
You expect some insightful chatter, maybe a few hot takes… and of course, some “chain drops” 🛠️
What we got was way more epic.
Had the chance to be part of a Bird of Feather session organized by Hasgeek today, and it was exactly the kind of chaotic, passionate, cross-domain discussion that makes this space so interesting.
From SBOM dreams (everything documented, perfectly structured, machine-parseable) to harsh realities (vendors handing you PDFs or nothing at all). From consulting teams trying to secure their clients at scale, to maintainers battling trust issues on PRs post-XZ incident.
We touched on:
-
How do you define EOL? (Really define it.)
-
What’s the actual use of an SBOM, beyond compliance checkboxing?
-
IoT vendors refusing to share BOMs – and if you open the case to build your own, poof, warranty gone.
-
Language sprawl in OS’s and efforts to reduce attack surfaces at the core OS level.
-
CVE’s on EOL software.
-
Country of origin… whose country? what origin?
The diversity of perspectives—from enterprise to indie maintainers—and the number of people actively building tools, frameworks, and research around this space gives me hope. It’s messy, fragmented, often frustrating… and yet, somehow, deeply exciting.
Supply chain security isn’t just a buzzword anymore. It’s becoming real, with real problems, and real people working on solutions.
#SupplyChainSecurity #SBOM #OpenSourceSecurity #Infosec #Hasgeek