The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


My new podcast

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 371 items added with 120,302 views
  • Jun 22, 2022

I’m pleased to report that Cybellum, an Israel-based company whose mission is “…to enable manufacturers and their suppliers to develop and maintain products that aren’t just safe, but are also secure”, has just posted a podcast I taped with them a few months ago. I’m quite pleased with the results, which are due as much to their good questions as to anything I said.

The podcast – which is only 26 minutes long – ended up being very focused on what I believe is the biggest issue preventing widespread adoption of SBOMs by end user organizations (i.e. organizations whose primary mission isn’t developing software for other organizations. Developers are already heavily using SBOMs for their internal purposes, thank you very much): the current lack of tools and scalable third-party services to utilize SBOMs and VEX documents for software risk management purposes, as well as the relative dearth of written guidance on how non-developers can use SBOMs.

I’ll warn you that, if you’d rather hear happy stories about how SBOMs and VEXes are already being widely used and how it will just take a little more of what we’re currently doing to reach component security nirvana, perhaps you need to look for another podcast. There is a huge amount of work to be done, and even what I know to be in the pipeline at the current moment is totally inadequate to address what’s needed.

However, I’m also quite optimistic that what’s needed will come, and in the not-distant future. I’m optimistic because – as a student of Milton Friedman during his heyday at the University of Chicago – I believe that free markets will ultimately both a) allow consumer demand for SBOMs to rapidly grow from its current close-to-nonexistent level, and b) “monetize” the so-far-nascent (at best) sub-markets for tools and services for widespread distribution and utilization of SBOMs for vulnerability risk management purposes.

I also want to point out that the previous podcast in this same series featured Steve Springett, the creator of Dependency-Track (which I mention in the podcast, and have referred to multiple times in these posts) and leader of the OWASP CycloneDX project (Steve is also the brains behind the current effort to solve the naming problem, one of the primary inhibitors of widespread production and utilization of SBOMs).

I recommend you also listen to that podcast, since Steve provides some very good insights into the current and future state of SBOMs and VEXes. In my opinion, Steve is the intellectual leader of the SBOM and VEX communities. The rest of us are just trying to visit the places where he’s already arrived, made a big difference, then moved on to his next challenge.

Any opinions expressed in this blog post are strictly mine, and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at



No discussions yet. Start a discussion below.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »