RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Why RL Built Spectra Assure Community
April 14, 2026

Why RL Built Spectra Assure Community

We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.

Read More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
AppSec & Supply Chain SecurityMay 10, 2023

Why fear rules when it comes to software bills of materials

In this ConversingLabs Cafe interview, Josh Corman, founder of I Am The Cavalry, talks about what’s behind industry skepticism around SBOMs.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Why fear rules when it comes to software bills of materials

If there’s a poster child for the increased focus and attention on the security of software supply chains, it is the SBOM, or software bill of materials. SBOMs are a critical component for operationalizing software supply chain security. Practically, SBOMs act like a list of ingredients for the software that makes up applications: calling out otherwise invisible dependencies on proprietary, open source and licensed, commercial libraries.

So what is there to complain about? A lot, as it turns out. Skeptics point out that requiring production of an SBOM by software vendors might amount to a burdensome compliance requirement with little practical pay off for organizations. If software vendors already struggle with application security and secure development practices, why should they be trusted to produce accurate SBOMs?

Also, SBOM skeptics argue that they will be of little practical value until the companies reviewing them can act on the information they contain to limit cyber risk. Skeptics and critics also point to the vast transformation in application delivery: With cloud-based deployment and continuous integration/continuous delivery (CI/CD) development ascendent, meaning that the makeup of production applications may be changing on a daily — if not hourly — basis, frustrating SBOM creation and maintenance.

Learn more about SBOMs See the ConversingLabs interview with Josh Corman

SBOMs and the journey from security through obscurity

Those arguments miss the bigger value that SBOMs bring, which is transparency into the software supply chains, according to Josh Corman, the founder of I Am The Cavalry and a Vice President of Cyber Safety Strategy at Claroty. Speaking at the recent RSA Conference in San Francisco, Corman made the argument that SBOMs are critical to realizing a better and more secure future: Just the latest step in a long journey to dispel the myth of “security through obscurity.”

That journey includes the embrace of once- controversial but now commonplace practices like full disclosure and tracking of software vulnerabilities for the purposes of patching and remediation, and the development of taxonomies of threats and attacks like the MITRE ATT&CK Framework.

We tend to believe on almost every other topic that transparency to defenders enables informed risk decisions.

Josh Corman

So why the pushback on implementing SBOMs? In his RSAC talk, Corman argues that the “noise” of SBOM skepticism, including mis- and disinformation about how SBOMs work and will be implemented, is motivated by fear among legacy software and services providers. Transparency is great, unless you have something to hide.

And there are lots of legacy software and services providers with stuff to hide, Corman says:

The pushback doesn’t come from modern CI/CD pipeline people. It comes from the legacy people who have a lot of technical debt, security debt and sins they don’t want revealed.

Active opacity: The software supply chain status quo

“Active opacity” is the term that Corman uses to describe the effort to blunt the push for SBOMs and greater software supply chain security. It includes efforts by software producers to maintain a status quo in which responsibility and liability for insecure software is passed down to customers and society more broadly, with few if any negative consequences for the producers themselves.

There is, to state the obvious, no “Lemon Law” for software. There needs to be, especially as software now runs the critical infrastructure that keeps the lights on (literally), runs our healthcare environments, navigates our vehicles, and more. That increases the likelihood of cyber-physical consequences of software failures.

In this ConversingLabs Cafe edition, filmed on the sidelines of the RSA Conference in San Francisco, I sat down and talked with Josh about the problem of SBOM skepticism and what he sees as the three (actually four) main forces trying to frustrate greater software supply chain transparency efforts.

See the ConversingLabs Cafe interview with Josh Corman:

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

Developer in action

GitHub breach: The development ecosystem is in the hot seat

This TeamPCP attack is a serious wakeup call about software supply chain security — and the problems with implicit trust.

Learn More about GitHub breach: The development ecosystem is in the hot seat
GitHub breach: The development ecosystem is in the hot seat
Robot Army

AI agents are the new insider threat

AI security leader and author Steve Wilson explains why you need to rethink security — and treat AI agents as digital workers.

Learn More about AI agents are the new insider threat
AI agents are the new insider threat
Open Sign

Shai-Hulud code drop: It’s open season for attacks

The npm malware's public release provides a ready-made blueprint for threat actors. Take action on supply chain security.

Learn More about Shai-Hulud code drop: It’s open season for attacks
Shai-Hulud code drop: It’s open season for attacks
AI infrastructure

Think AI agents are risky? Your underlying stack is too

To manage agentic AI risk, organizations need to focus more on the infrastructure they run on.

Learn More about Think AI agents are risky? Your underlying stack is too
Think AI agents are risky? Your underlying stack is too

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top