Software Supply Chain Advisory

Turn software transparency into a strategic advantage.

Expert counsel for security, engineering, and product leaders navigating SBOM mandates, CycloneDX adoption, and a rapidly evolving regulatory landscape. Advisory engagements are led directly by Steve Springett, founder and chair of the global standards that define modern software transparency.

Request an engagement See how I help

Standards & Leadership

Chair, OWASP CycloneDX Founder, Ecma International TC54 Chair, OWASP Global Board Creator, OWASP Dependency‑Track Coauthor, OWASP SCVS

01 / Positioning

Built for leaders who cannot afford to get supply chain wrong.

Regulators are writing new rules. Customers are demanding evidence. Attackers are exploiting the gaps. Software supply chain risk is now a board level concern, and the organizations that treat it strategically will pull ahead of those treating it as compliance paperwork.

I founded the CycloneDX standard, created the Open Worldwide Application Security Project (OWASP) Dependency‑Track platform, and founded the Ecma committee that is standardizing the next generation of software transparency. That means your team gets advice grounded not in interpretation of the standards, but in authorship of them.

Engagements are intentionally senior, selective, and outcome focused. I work with a small number of organizations at a time so each gets substantive attention from the person whose work they are most likely already using.

What I do

Four areas where deep expertise changes the outcome.

Each engagement is scoped to your program maturity, timeline, and regulatory posture. Most clients start with a focused assessment and expand from there.

Practice area

Software Bill of Materials (SBOM) and xBOM strategy

Design, implement, and operationalize a production grade Software Bill of Materials (SBOM) program using CycloneDX. Covers generation, quality, distribution, vulnerability and exploitability transparency through Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX), attestations, and expansion into Cryptography Bill of Materials (CBOM), Machine Learning Bill of Materials (ML‑BOM), Software as a Service Bill of Materials (SaaS‑BOM), and Manufacturing Bill of Materials.

Practice area

Regulatory readiness

Map your software supply chain program to the EU Cyber Resilience Act (CRA), U.S. Executive Order 14028, the NIST Secure Software Development Framework (SSDF), U.S. Food and Drug Administration (FDA) premarket cybersecurity guidance, and related mandates. Translate obligations into engineering backlog items rather than legal anxiety.

Practice area

Supply chain hardening

Reduce risk across the software you build and the software you consume. The OWASP Software Component Verification Standard (SCVS) sets the high level requirements calibrated to your risk tolerance, paired with threat modeling for the supply chain, component intelligence, vulnerability prioritization, open source policy, and provenance verification at scale.

Practice area

Executive advisory and training

Board briefings, maturity assessments, and private training for security, product, and engineering leaders. Keynotes and workshops calibrated to your audience, from first time SBOM readers to teams deploying cryptographic transparency.

Explore service details

Why this matters now

The rules are being written. Get ahead of them.

CycloneDX became an international standard (ECMA‑424) in 2024. The EU Cyber Resilience Act enters full enforcement in 2027. The Transparency Exchange API is redefining how software evidence is discovered and shared. U.S. Food and Drug Administration (FDA) guidance is making Software Bill of Materials (SBOM) a precondition for medical device approval. Post quantum cryptography, the transition to algorithms that resist attack from future quantum computers, is now a stated federal objective.

Every one of those changes started as a working group draft I helped shape. Clients who engage early translate that foresight into roadmap decisions their competitors will be reacting to in eighteen months.

If transparency is the future of software risk, your advisor should be the person who wrote the transparency standard. The engagement thesis

Recent focus

Where clients are spending time in 2026.

CycloneDX 1.7 adoption and migration from legacy Software Bill of Materials (SBOM) formatsStrategy, tooling
EU Cyber Resilience Act conformity assessments and technical documentationRegulatory
Cryptography Bill of Materials (CBOM) and post quantum cryptography readiness inventoriesCBOM, post quantum
Transparency Exchange API pilots for vendor and customer SBOM distributionStandards
Dependency‑Track scale out and tuning for large application portfoliosOperational
Software transparency maturity assessments benchmarked against the NIST Secure Software Development Framework (SSDF) and the OWASP Software Component Verification Standard (SCVS)Assessment

Ready to move faster than the regulation cycle?

Short introductory calls are free. Describe your situation and I will tell you honestly whether an engagement makes sense, and if not, where to start.

Start a conversation See services