Episode 109
SBOMs and Project Health with Brittany Istenes
1 May 2025
39 mins 53 secs
About this Episode
Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!
CHAOSScast – Episode 109
In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more!
[00:00:21] Our guests introduce themselves and their backgrounds.
[00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components.
[00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed.
[00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns.
[00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021).
[00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies.
[00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later.
[00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness.
[00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.”
[00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration.
[00:27:36] Cali shares Red Hat’s efforts to define what makes a project vulnerable and how it’s focused on detecting and sunsetting unmaintained dependencies.
[00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White.
[00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25.
Value Adds (Picks) of the week:
- [00:36:08] Georg’s pick is building a platform for his dog to look out the window.
- [00:37:06] Brittany’s pick is spending time with Georg and Cali.
- [00:38:12] Cali’s pick is her great support system since having ACL surgery.
*Panelist: *
Georg Link
Guests:
Cali Dolfi
Brittany Istenes
Links:
State of the Software Supply Chain (Sonatype)
CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD
CHAOSS Community: Metrics for OSS Viability by Gary White
CHAOSScon North America 2025, Denver, CO, June 26
Open Source Summit North America, Denver CO, June 23-25
Cyber Resilience Act (European Commission)
Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes)
Types of Software Bill of Material (SBOM) Documents
OSS Project Viability Starter (CHAOSS)
Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes
Support CHAOSScast