SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr.

Why are Software Bill of Materials (SBOMs) critical for medical device security?In this episode, Cortez Frazier Jr. joins Christian and Trevor to discuss SBOMs, vulnerability prioritization, and why companies should stop fearing software transparency. The conversation covers real-world security challenges, regulatory trends, and how organizations can protect themselves before a major breach forces them to act.Cortez Frazier Jr. is a principal product manager at FOSSA, where he helps companies navigate software supply chain security with a mix of technical expertise and strategic foresight.Key points: * Overview of FOSSA and its role in software composition analysis.* The increasing importance of SBOMs in regulatory compliance.* (10:30) Understanding SBOMs * How the SolarWinds attack changed the conversation around software transparency.* Why some manufacturers are reluctant to release SBOMs.* (20:45) Prioritizing Vulnerabilities * The difference between CVEs and actual exploitability risks.* Why blindly patching everything isn’t an effective security strategy.* (30:20) Legal and Compliance Risks* How open-source licenses can force companies to disclose their source code.* What manufacturers need to do to avoid unexpected legal issues.* (40:50) Future Trends * How hospitals and customers will soon start demanding SBOMs.* Cortez’s advice for companies looking to improve their cybersecurity posture.Resources mentioned in this episode that you can Google: * Executive Order 14028. * SPDX and CycloneDX – Machine-readable SBOM formats* EPSS (Exploit Predictability Scoring System) – A better way to assess vulnerability risk* CISA Known Exploited Vulnerabilities List – The vulnerabilities that actually matterThe Med Device Cyber Podcast is brought to you by Blue Goat Cyber, cybersecurity professionals specializing in providing elite cyber solutions for medical devices. Learn more about securing your product and business from cyber-criminals by visiting https://bluegoatcyber.com If you’re interested in our services or partnering with us, schedule a Discovery Session: https://meetings.hubspot.com/blue-goat-cyber/discovery-session Thanks to Cortez Frazier Jr. for being on the show. Connect with Cortez on LinkedIn: https://www.linkedin.com/in/cortezfrazierjr/ Learn more about FOSSA: https://fossa.com/ Christian Espinosa is the CEO and founder of Blue Goat Cyber. Trevor Slattery is the Chief Technology Officer / Director of MedTech Cybersecurity at Blue Goat Cyber. Christian Espinosa on LinkedIn: https://www.linkedin.com/in/christianespinosa/ Blue Goat Cyber on LinkedIn: https://www.linkedin.com/company/blue-goat-cyber/ Blue Goat Cyber on Instagram: https://www.instagram.com/bluegoatcyber/ Blue Goat Cyber on Facebook: https://www.facebook.com/bluegoatcyber/ Blue Goat Cyber on YouTube: https://www.youtube.com/@BlueGoatCyber Trevor Slattery on LinkedIn: https://www.linkedin.com/in/trevor-slattery-34852b1a9 Feedback? Questions? Contact: https://bluegoatcyber.com/contact/ Learn more about Christian Espinosa, buy his books, or invite him to speak on your stage: https://christianespinosa.com/ Christian Espinosa on YouTube: http://www.youtube.com/@ChristianEspinosaOfficial The Med Device Cyber Podcast is your essential resource for medical device cybersecurity. Each episode we dive into the latest threats, solutions, and best practices to protect modern healthcare technology. Whether you're a provider, a manufacturer, or a cybersecurity professional, gain the knowledge to safeguard patient safety by subscribing to the Med Device Cyber Podcast. Subscribe via Spotify: https://spoti.fi/3XX95g0Subscribe via Apple Podcasts: https://apple.co/483OJ9ISubscribe via YouTube: https://www.youtube.com/@BlueGoatCyber/podcasts