Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 53

    Untangling Software Composition Analysis for MedTech Teams

    With MedTech leader - Why does software composition analysis matter beyond regulatory compliance? This episode explores SCA (Software Composition Analysis) and explains how SBOMs (Software Bill of Materials), SOUP (Software of Unknown Provenance), and related tooling fit into the broader medical devic

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Software Composition Analysis (SCA) is the process of identifying all software components within a product, encompassing proprietary code, open-source libraries, and third-party dependencies.
    • The Software Bill of Materials (SBOM) is the primary output of SCA, providing a machine-readable inventory of software ingredients crucial for security transparency and risk management.
    • Software of Unknown Provenance (SOUP) designates software components with untraceable origins or documentation, classifying them as high-risk within the SBOM.
    • SCA focuses on identifying the *components* within software, while Static Application Security Testing (SAST) analyzes the source code for implementation vulnerabilities.
    • The complexity of modern software development, including extensive use of third-party and transitive dependencies, necessitates a formal SCA process for complete component visibility.
    • AI-assisted coding introduces a growing concern regarding the inadvertent inclusion of SOUP due to the generation of code and dependencies of unknown origin.
    • An SBOM must be in a machine-readable format such as CycloneDX or SPDX to facilitate automated ingestion and analysis, as required by the FDA for regulatory submissions.

    Why does software composition analysis matter beyond regulatory compliance?

    This episode explores SCA (Software Composition Analysis) and explains how SBOMs (Software Bill of Materials), SOUP (Software of Unknown Provenance), and related tooling fit into the broader medical device cybersecurity landscape. Christian and Trevor clarify common misconceptions, including licensing fears, machine-readable requirements, and the role of static testing tools.

    Notable quotes

    “Software Composition Analysis is figuring out a register of what goes into your product, the different source code that you have involved, whether or not you have control over it.”
    - Trevor Slattery
    “If I'm a software developer, I wouldn't know exactly where all the software came from that I put into my code. Oftentimes, it'll be that you have a big team working on a product.”
    - Trevor Slattery
    “I take a look at my SBOM that I generate at the end of it and I realize that I added 500 components in two hours and I have no idea what any of them do.”
    - Trevor Slattery
    “It's interesting because we have a lot of acronyms. We have SCA, SOUP, and SBOM. You know, it's like, let's make things much more complicated. And we have SAST.”
    - Christian Espinosa

    Frequently asked questions

    Bring this work to your device

    Need help with sbom management?

    Blue Goat Cyber delivers sbom & supply chain services for medical device manufacturers - from threat modeling to FDA-ready reports.

    SBOM & Supply Chain Services

    More on SBOM Management

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.