Observations, analysis and practice on software supply chain security, open-source governance and AI security.
As code is mass-produced by AI and dependencies are pulled in automatically by agents, the old "scan-and-inventory" paradigm starts to break. Security has to move from after-the-fact to the moment of production.
Many teams treat an SBOM as a document to hand in. But a valuable SBOM drives decisions — which vulns are exploitable, which dependency to fix first, which license carries risk.