CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Supply Chain Security

SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility

NetRise appointed the former CISA Senior Advisor and Strategist as a Strategic Advisor. The post SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility appeared first on SecurityWeek.

Software Supply Chain Attack

Dr. Allan Friedman, often described as the Father of SBOMs while working for CISA, is joining NetRise as a strategic advisor. 

Although CISA is seriously affected by the current government shutdown (approximately two-thirds of its workforce were furloughed in October 2025), this played no part in Friedman’s decision to move on from the agency in August 2025.

In his own words, “I’m still interested in building things, and I felt that many of those things lay outside CISA’s remit.”

SBOMs are machine-readable inventories of the components and dependencies used to build a piece of software, providing greater visibility into software supply chains. The software developer produces the SBOM, while the software consumer decides how to use it. NetRise, a supply chain security firm, has an interest in SBOMs to help its clients better secure themselves against software supply chain threats lurking in third party software components.

Allan Friedman

To be of value, SBOMs must be accurately built and intelligently consumed. The ‘project’ gained a boost from Biden’s EO 14028 issued in May 2021, requiring that any software sold into the US government must come with an SBOM. But apart from this fillip, there is no legal requirement to produce an SBOM, nor any automatic assumption of availability.

The alliance of the Father of the SBOM with a company that focuses on supply chain security is a natural fit that could lead to greater availability and more intelligent use.

SBOMs versus AI

There is a possible danger that the rise and increasing potential of AI could lead companies to downgrade the importance of SBOMs. AI is already being used for threat hunting, and that use will continue and expand. Why would I need an SBOM when AI will tell me what threats I have and where they are?

“I would love that to be true,” commented Thomas Pace (co-founder and CEO of NetRise), “but right now it cannot do that. It can help with supply chain visibility, but it cannot solve the whole problem.”

Friedman added, “The SBOM remains necessary. As we witness this AI takeover, the SBOM is going to be one of the last things it replaces. AI can do many things, but it is dependent on the data it consumes – and the SBOM provides that data.”

Pace expanded on this: “Let me give you an example. You might have a log4j in a standalone Windows application, and then you might also have that log4j in a Cisco switch. To extract the artifacts, you need to assess and determine whether the log4j is in either one of those assets, and that requires two different processes. Just finding log4j in a Windows application doesn’t give you the ability to find it in the Cisco switch. This is the whole point. Now, once you’ve done all the extraction and you’ve identified all the components [via SBOMs], that’s where AI comes in.”

He continued, “To Friedman’s point, you can give the LLM context about where that component is found and what it is in and how it is supposed to run or operate that you cannot get otherwise. With that information, you can ask the LLM to explain the actual risk of this log4j component. And it will answer, ‘based on this configuration, there is actually a very low probability of it being a problem for you’ (or vice versa).”

So, for the time being, SBOMs are necessary to feed AI, while AI can help the software consumer understand what should be done. As Kirsten Davies (former CISO at Unilever, SVP and CISO at Estée Lauder, MD and group CSO at Barclays – and nominee for CIO at the DOD) told the Senate Armed Services Committee confirmation hearing on September 18, 2025, “If confirmed, I will ensure the Department not only collects SBOMs in contracts but also develops the people, processes, and tools needed to analyze them and act on the results. SBOMs should be integrated with other assurance practices, such as secure development, automated code scanning, and continuous monitoring so the Department can reduce risk and improve reliability in software-intensive systems.”

By bringing the deep founding knowledge of SBOMs and their capabilities to a firm that specializes (with the help of AI) in securing software supply chains, Friedman and NetRise are effectively combining SBOMs and AI in the manner envisaged by the administration’s nominee for DOD CIO.

“We have made progress on understanding the need for SBOMs and related data, but we also need quality tools. NetRise is leading the way to deliver on the comprehensive and accurate identification of components, uncovering hidden risk, and actioning remediation of that risk,” said Friedman.

NetRise raised $10 million in a Series A funding round in April 2025, bringing the total amount raised by the company to nearly $25 million.

Related: The SBOM Bombshell

Related: US, Allies Push for SBOMs to Bolster Cybersecurity

Related: CISA Requests Public Feedback on Updated SBOM Guidance

Related: New UK Framework Pressures Vendors on SBOMs, Patching and Default MFA

Latest News

CYBERNEWSMEDIAPublisher