"It's hard to know what to fix in your software…if you don't know what's in your software." 🛑

Brian Thomason explains why the US Navy prioritizes high-fidelity #SBOMs as the foundation of every security check.

Read the full breakdown on RAISE 2.0: https://anchore.com/blog/how-raise-2-0-is-transforming-navy-devsecops/

Again for the evening (CET) crowd:

The recording from NYC*BUG (Properly pronounced "Nice Bug") Saturday January 10th, 2026 session "The Book of PF 4th ed + EU CRA: It's time to Engineer up" is now available:

Youtube: https://youtu.be/HOCsvcCm1Ec
Peertube: https://toobnix.org/w/bQPtKXKqJMdeYDbzhrrkEa

#bookofpf #OpenBSD #freebsd #packetfilter #EUCRA #CRA #SBOMS #dependency #supplychain #security @nostarch

Could lockfiles just be SBOMs?

https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html

#HackerNews #lockfiles #SBOMs #softwaredevelopment #cybersecurity #open_source

🧑‍🌾 bomctl makes SBOMs easier to work with by handling format and version differences for you. Convert between SPDX and CycloneDX, upgrade spec versions, and link #SBOMs across suppliers and systems.

Watch the OpenSSF Project Spotlight about #bomctl: https://youtu.be/Tax1pNaySYQ?si=98Cg8V73m7uHzTMu

When a new vulnerability drops, the first question is always: Is this in my supply chain? 🔍

By ingesting and enriching #SBOMs with vulnerability and dependency data, #GUAC lets you query your entire application portfolio and pinpoint where action is needed immediately.

🎥 https://youtu.be/uDT0xes5ico?si=3qMKMsRk0lYcL8fS

I chat with @mbarbero about security happenings at the @EclipseFdn

My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!

https://opensourcesecurity.io/2025/2025-10-eclipse-sbom-mikael-barbero/