SBOMs promised to be the ingredient label for software, accelerating response and boosting trust. But adoption lags: less than 1% of GitHub repos use them, only 15% of developer questions get resolved, and fewer than half of EU firms fund supply chain programs. In this episode, Sean Martin breaks down the contradiction—why SBOMs stall, who pays the price, and where they do deliver value.
SBOMs were supposed to be the ingredient label for software—bringing transparency, faster response, and stronger trust. But reality shows otherwise. Fewer than 1% of GitHub projects have policy-driven SBOMs. Only 15% of developer SBOM questions get answered. And while 86% of EU firms claim supply chain policies, just 47% actually fund them.
So why do SBOMs stall as compliance artifacts instead of risk-reduction tools? And what happens when they do work?
In this episode of AppSec Contradictions, Sean Martin examines:
Catch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research.
👉 What’s your experience with SBOMs? Have they helped reduce risk in your organization—or do they sit on the shelf as compliance paperwork? How are you bridging the gap between transparency and real security outcomes? Share your take—we’d love to hear your story.
📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/sboms-application-security-from-compliance-trophy-sean-martin-cissp-qisse
🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_
________
This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.
Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity
Sincerely, Sean Martin and TAPE9
________
Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️
Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location
To learn more about Sean, visit his personal website.
[00:00:00] Speaker: Welcome to AppSec Contradictions, a seven part video series presented by Sean Martin. The goal to explore the gaps between promise and reality in application security. In part three, we focus on SBOs, the software bill of materials. They're supposed to be the ingredient label for software giving us transparency, trust, and resilience.
But in reality, the promise doesn't match the practice. On paper, SBOs should speed response, strengthen supplier accountability, and build confidence with customers. That's the vision. The numbers tell a different story. Fewer than 1% of GitHub projects include policy-driven SBOs. Only a fraction of developer questions ever get answered.
And while most European firms claim to have supply chain policies, [00:01:00] less than half actually fund them. SBOs too often end up as compliance artifacts. What I call paper trophies, and that hurts everyone. Developers get noise. AppSec teams can't operationalize the data, and business leaders see compliance without results.
Transparency without impact leaves every stakeholder frustrated. But when they are used effectively, the benefits are clear. Saving thousands of hours in triage, leveraging suppliers more effectively, scaling governance across products, and even extending visibility into AI systems. That's when SBOs deliver on their potential.
Sean's take is this, SBOs must be living data generated in the pipeline, enriched with context and tied to business impact. Without that, they remain check boxes. With it, they become tools for real risk reduction. For a deeper dive into this contradiction, read the full companion article in the [00:02:00] Future of Cybersecurity Newsletter.
And subscribe to follow the rest of this series and to stay ahead on these conversations. Subscribe to the future of Cybersecurity Newsletter where the rest of the AppSec Contradiction series will be shared along with more perspectives on the future of security and business.