Expert counsel for security, engineering, and product leaders navigating transparency mandates, CycloneDX SBOM adoption, and a rapidly evolving regulatory landscape.
Regulators are writing new rules. Customers are demanding evidence. Attackers are exploiting the gaps. Software supply chain risk is now a board level concern, and the organizations that treat it strategically will pull ahead of those treating it as compliance paperwork.
I founded the CycloneDX standard, created the OWASP Dependency-Track platform, and founded the Ecma committee that is standardizing the next generation of software transparency. That means your team gets advice grounded not in interpretation of the standards, but in authorship of them.
Engagements are intentionally senior, selective, and outcome focused. I work with a small number of organizations at a time so each gets substantive attention from the person whose work they are most likely already using.
Each engagement is scoped to your program maturity, timeline, and regulatory posture. Most clients start with a focused assessment and expand from there.
Design, implement, and operationalize a production grade Software Bill of Materials (SBOM) program using CycloneDX. Covers generation, quality, distribution, vulnerability and exploitability transparency through Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX), attestations, and expansion into Cryptography Bill of Materials (CBOM), Artificial Intelligence Bill of Materials (AIBOM), Software as a Service Bill of Materials (SaaS-BOM), and Manufacturing Bill of Materials.
Map your software supply chain program to the EU Cyber Resilience Act (CRA), U.S. Executive Order 14028, the NIST Secure Software Development Framework (SSDF), U.S. Food and Drug Administration (FDA) premarket cybersecurity guidance, and related mandates. Translate obligations into engineering backlog items rather than legal anxiety.
Reduce risk across the software you build and the software you consume. The OWASP Software Component Verification Standard (SCVS) sets the high level requirements calibrated to your risk tolerance, paired with threat modeling for the supply chain, component intelligence, vulnerability prioritization, open source policy, and provenance verification at scale.
Board briefings, maturity assessments, and private training for security, product, and engineering leaders. Keynotes and workshops calibrated to your audience, from first time SBOM readers to teams deploying cryptographic transparency.
Advisory on bringing AI into the same transparency discipline as the rest of the supply chain through the Artificial Intelligence Bill of Materials (AIBOM), and on using agentic AI well for secure code review, design review, threat modeling, and triage. Guidance on secure by default patterns for agentic systems, aligned to the OWASP Top 10 for Large Language Model Applications, the OWASP AI Security Verification Standard (AISVS), the EU AI Act, NIST SP 800-218A, and CRA Annex I.
The landscape is shifting on multiple fronts at once:
Every one of those changes started as a working group draft I helped shape. Clients who engage early translate that foresight into roadmap decisions their competitors will be reacting to in eighteen months.
Short introductory calls are free. Describe your situation and I will tell you honestly whether an engagement makes sense, and if not, where to start.