SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr.

Why are Software Bill of Materials (SBOMs) critical for medical device security?

In this episode, Cortez Frazier Jr. joins Christian and Trevor to discuss SBOMs, vulnerability prioritization, and why companies should stop fearing software transparency. The conversation covers real-world security challenges, regulatory trends, and how organizations can protect themselves before a major breach forces them to act.

Cortez Frazier Jr. is a principal product manager at FOSSA, where he helps companies navigate software supply chain security with a mix of technical expertise and strategic foresight.

Key points:

• Overview of FOSSA and its role in software composition analysis.

• The increasing importance of SBOMs in regulatory compliance.

• (10:30) Understanding SBOMs

• How the SolarWinds attack changed the conversation around software transparency.

• Why some manufacturers are reluctant to release SBOMs.

• (20:45) Prioritizing Vulnerabilities

• The difference between CVEs and actual exploitability risks.

• Why blindly patching everything isn’t an effective security strategy.

• (30:20) Legal and Compliance Risks

• How open-source licenses can force companies to disclose their source code.

• What manufacturers need to do to avoid unexpected legal issues.

• (40:50) Future Trends

• How hospitals and customers will soon start demanding SBOMs.

• Cortez’s advice for companies looking to improve their cybersecurity posture.

Resources mentioned in this episode that you can Google:

• Executive Order 14028.

• SPDX and CycloneDX – Machine-readable SBOM formats

• EPSS (Exploit Predictability Scoring System) – A better way to assess vulnerability risk

• CISA Known Exploited Vulnerabilities List – The vulnerabilities that actually matter