The Cyber Resilience Act deadline is approaching in November, but according to new research from Cloudsmith, only one in four engineering teams are automatically generating Software Bills of Materials (SBOMs). In this KubeCon interview, discover why this critical compliance gap exists and how automated solutions can close it before time runs out.
At KubeCon and CloudNativeCon, we sat down with Cloudsmith’s leadership team to explore the surprising state of SBOM adoption across the software industry. Despite SBOMs being compared to ingredient lists that anyone can understand, three in four organizations still struggle to produce these reports when audits occur. The conversation reveals why this seemingly straightforward requirement has become such a stumbling block.
You’ll learn about the two competing SBOM format standards and why even established players haven’t settled on just one. The discussion dives into whether this represents a temporary transition period or a permanent split in the industry—and what that means for organizations trying to make compliant technology choices today.
What you’ll discover in this video
The interview explores why software organizations treat supply chain transparency as a novel concept when manufacturing industries have used bills of materials for decades. The answer reveals fundamental differences in how developers prioritize speed versus security, and why changing this mindset requires more than just new tools.
Cloudsmith’s approach to automating SBOM generation eliminates manual processes entirely, but the conversation goes beyond basic compliance. You’ll hear about policy-as-code capabilities that let organizations customize security controls based on their specific risk tolerance, including some surprising criteria that go beyond standard vulnerability scores.
A particularly eye-opening segment covers emerging threats that make SBOMs even more critical. The term “slop squatting” might be new to you, but this attack vector specifically targets AI-assisted coding tools that developers are rapidly adopting. Understanding this threat helps explain why automated SBOM verification isn’t just about compliance—it’s about defending against attacks that didn’t exist a year ago.
Key insights you’ll gain
- The real reasons why SBOM adoption remains low despite regulatory pressure
- How the GDPR enforcement pattern predicts what will happen with CRA compliance
- What a Log4J-style incident response looks like with proper SBOM implementation
- Why AI represents both a solution and a new category of supply chain risk
- How organizations can move beyond checkbox compliance to meaningful security controls
- What data sources beyond CVE databases can inform smarter security policies
- The surprising metadata that will soon be available about open source maintainers
Whether you’re responsible for CRA compliance, managing software supply chain security, or trying to understand how SBOMs fit into modern DevOps practices, this conversation provides practical insights from a platform handling SBOM generation at scale. Watch to understand not just what SBOMs are, but why automation matters and how to customize security policies for your organization’s specific needs.