Vulnerability Management always starts from… a list of vulnerabilities. But where does this list come from? How do you know what software an organization is using? SBOM is a way to describe all this. It’s a data model, a format, used by a broad ecosystem helping manage vulnerabilities and more.

In this episode of Cloud Security Lounge, Steve Springett, director of product security at ServiceNow and in the core working group of the [CycloneDX SBOM format](https://cyclonedx.org/) joins us to discuss common use cases for SBOMs, vendor push back, how SBOM don’t solve anything just by themselves, and how SBOM formats will evolve in the near future.

Steve Springet:
Linkedin: https://www.linkedin.com/in/stevespringett/
Twitter: https://twitter.com/stevespringett

CycloneDX:
Specification: CycloneDX/specification
Home: https://cyclonedx.org
Capabilities: https://cyclonedx.org/capabilities

SPDX: https://spdx.dev/
NTIA SBOM definition: https://ntia.gov/page/software-bill-materials
EPSS: https://www.first.org/epss/model

Datadog Application Vulnerability Management: https://docs.datadoghq.com/security/application_security/vulnerability_management/

Trivy: https://github.com/aquasecurity/trivy

0:00 Cloud Security Lounge