Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Podcast

    SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr. | Ep. 13

    Cortez Frazier Jr. from Fossa joins the podcast to unpack the world of Software Bill of Materials (SBOMs), shedding light on common misconceptions, risks, and benefits for product security teams, regulatory leads, and engineers in the medical device industry. This episode delves

    Hero illustration for the Podcast article: SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr. | Ep. 13
    Christian Espinosa, Founder & CEO

    Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

    Published May 2025 · Last reviewed May 2026

    The Med Device Cyber Podcast · with Cortez Frazier Jr. · May 1, 2025 Cortez Frazier Jr. from Fossa joins the podcast to unpack the world of Software Bill of Materials (SBOMs), shedding light on common misconceptions, risks, and benefits for product security teams, regulatory leads, and engineers in the medical device industry. This episode delves into the evolution of SBOMs from simple inventory lists to essential tools for proactive cybersecurity, particularly following significant supply chain attacks like SolarWinds. The discussion highlights the critical role of machine-readable SBOM formats such as SPDX and CycloneDX in efficient vulnerability management. Cortez and the hosts explore various prioritization methods for vulnerabilities, including CVEs, CISA's Known Exploited Vulnerabilities list, and the Exploit Prediction Scoring System (EPSS), emphasizing the need to move beyond basic critical and high severity ratings to assess true exploitability. The episode also touches on the unique challenges of SBOM management in the medical device sector, considering regulations like IEC 62304, the complexities of

    Key Takeaways

    • SBOMs are essential for identifying open-source and commercial components in medical devices, aiding in proactive security and risk management.
    • Prioritize vulnerabilities using methods like CISA's Known Exploited Vulnerabilities list and the Exploit Prediction Scoring System (EPSS) to focus on truly exploitable threats.
    • Transparency in sharing SBOMs does not inherently compromise intellectual property or create a
    • Addressing license compliance is a critical aspect of SBOM management, as certain copyleft licenses can mandate open-sourcing proprietary code if not handled correctly.
    • The FDA currently requires SBOMs for medical devices, and the industry is moving towards more operationalized SBOM ingestion for ongoing vulnerability lookups.
    • Proactive use of SBOMs, including integrating them into development workflows and risk management processes, is crucial for maintaining a strong security posture and meeting regulatory expectations.

    Listen on mdcpodcast.com · Watch on YouTube

    Listen to this episode

    Watch on YouTube

    Want help applying this to your own device program?

    Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.

    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.