I read an interesting post on Twitter the other day about Software Bill of Materials. The author said "SBOMs promise a picture of what lies beneath the surface of software, but without large scale automated binary analysis, at best, they reflect intent not reality. As a result, relying on them is like being an explorer without a compass."

The author does make some good points here. Large scale binary analysis is definitely lacking in some regards - but the technology is there to do it, and we've had a guest on the show that has talked about how they're doing it today for mobile apps.

But binary analysis is only one use case. There's so much more to Software Bill of Materials.

As for the compass, even as late as the 1700's European explorers still used AstroLabs. They helped navigate using the stars, and although the compass was invented around the same time in Asia, it was only used as a backup to the Astrolabe.

What that shows is you don't need to have a compass to be an explorer.

Just like you don't have new technologies without innovators like Tim Miller. He's one of the folks behind Guac - and that's an acronym for "Graph for Understanding Artifact Composition". It's an open source tool that aggregates software security metadata into high fidelity graph databases.

What does that mean? It means that it ingests SBOMs and provides a way for users to query that information.

Tim reached out to me after seeing Guac as part of my SBOM Reference Architecture" in a LinkedIn post that hit his feed. After getting on a quick call to discuss what I had planned for Guac I knew I had to get him on the show.

What do we do with SBOMs after we get them? Buckle up, because we're going to talk about one thing you can do...

Welcome back, to daBOM.