SBOMs Everywhere, Assurance Nowhere:Lessons from the Field

Jens Schmidt, Exodos Labs

Over the past few years, Software Bills of Materials (SBOMs) have become widely adopted across the software industry.

Modern build pipelines can generate CycloneDX or SPDX documents automatically, and new standards such as the OWASP Transparency Exchange API (TEA) aim to streamline the exchange of supply chain artifacts. Yet in practice, many SBOM programs struggle to deliver meaningful security outcomes.

Drawing on real-world experiences from large organizations across regulated industries, this talk explores the operational reality of SBOM adoption.

Examples from the field include:

  • organizations maintaining component inventories in Excel spreadsheets
  • OEMs working with hundreds of suppliers but reviewing only a fraction of incoming SBOMs
  • SBOMs generated automatically but failing basic quality and completeness checks
  • supply chain risk decisions influenced by geopolitical and regulatory constraints

These experiences highlight a critical gap between SBOM generation, artifact exchange, and operational supply chain assurance.

One recurring challenge is SBOM quality.
Many generated SBOMs lack required metadata such as consistent component identifiers, supplier information, or license details, making automated analysis difficult. To address this gap, the talk introduces the concept of SBOM quality gates as a control point within CI/CD pipelines.
These gates evaluate SBOM completeness and policy compliance — including checks for NTIA minimum elements and organization-specific metadata requirements — before artifacts are accepted into downstream workflows.

Rather than focusing on vulnerability scanning, which is already well covered by existing tools and platforms, this session focuses on the data quality and operational challenges that determine whether SBOM initiatives succeed or fail.

The session concludes with architectural lessons learned and practical recommendations for organizations attempting to operationalize SBOM programs across complex supplier ecosystems.

This session is part of SBOM Focus

Focus on SBOM


Explore the conference agenda

Wednesday:
Training
Thursday: Conference
Friday:
SBOM Focus
Register
now!
Open Source Security Foundation
OWASP Foundation
Open regulatory compliance working group (ORCWG.ORG)

Register today!