Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published January 2026 · Last reviewed May 2026
The Med Device Cyber Podcast · January 30, 2026 This episode of The Med Device Cyber Podcast untangles the complexities of Software Composition Analysis (SCA) for MedTech teams. Hosts Trevor Slattery and Christian Espinosa demystify SCA, differentiating it from related concepts like SBOMs (Software Bill of Materials) and SOUP (Software of Unknown Provenance). They emphasize that SCA is the foundational process of identifying all software components within a medical device, including third-party libraries, internally developed code, and even AI-generated code. The discussion highlights the critical role of SBOMs as the output of SCA, providing a comprehensive registry of these components, crucial for transparency and risk management, especially in light of FDA requirements. The hosts delve into the nuances of machine-readable SBOM formats like CycloneDX and SPDX, explaining their importance for regulatory submissions and industry standardization. Furthermore, the episode addresses the evolving landscape of software licensing, particularly
Key Takeaways
- Software Composition Analysis (SCA) is the process of identifying all software components within a medical device, serving as the foundation for understanding its composition.
- A Software Bill of Materials (SBOM) is the output of SCA, providing a comprehensive registry of all software components, critical for transparency and regulatory compliance with the FDA.
- SOUP (Software of Unknown Provenance) refers to software whose origin, build process, or purpose is unclear, posing significant risks that should be addressed during development and analysis.
- The FDA requires machine-readable SBOM formats like CycloneDX and SPDX for submissions, enabling efficient data exchange and analysis by automated tools.
- While Static Application Security Testing (SAST) and SCA both identify software-related issues, SAST focuses on vulnerabilities within the code itself, whereas SCA identifies the components present in the software.
- Understanding all components in a medical device product, including their origins and licenses, is crucial for effective risk management, compliance, and addressing potential supply chain vulnerabilities.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.