Unlocking the Power of SBOMs: A Deep Dive into Risk Management and Cybersecurity Posture
CVE/FIRST VulnCon 2025 · Main Stage
This talk, "Unlocking the Power of SBOMs: A Deep Dive into Risk Management and Cybersecurity Posture," delivered by John Bergland and Zardia Alden from IBM, addresses the critical challenge of operationalizing Software Bill of Materials (**SBOM**) data to effectively manage cybersecurity risk. Moving beyond the mere generation of SBOMs—often referred to as an "SBOM in a bucket" by the speakers—the presentation outlines a comprehensive strategy for extracting actionable intelligence from these crucial documents. It delves into how IBM, both as a consumer and a producer of software, leverages SBOM analysis to understand and improve the security posture of its offerings and its supply chain.
AI review
A competent, practitioner-grounded talk on operationalizing SBOMs at enterprise scale from two IBM veterans who clearly live this problem daily. The 95% assessment-time reduction via automation, the VEX spreadsheet bridging strategy, and the quantified noise taxonomy (22% non-prod, 27% scan config, 40% vuln data issues) give this talk more specificity than the average SBOM awareness session. It won't redefine the field and the speakers are explicitly in the 'we figured out how to make this work at IBM' lane rather than advancing the underlying science — but that's an honest, useful lane to…