Steve Springett Advisory
Speaking

Briefings, workshops, and keynotes from the author of the standards.

Sessions calibrated to the audience. From a fifteen minute board update to a full day practitioner workshop, every engagement is written for the room and grounded in primary source material.

Book speaking engagement
Steve Springett speaking
Formats

Choose the room, choose the format.

  • Keynote. Thirty to sixty minutes on the trajectory of software transparency, what is changing, and what your audience should do about it.
  • Executive briefing. A focused board or leadership session on regulation, risk, and strategic posture. Typically under an hour, with discussion.
  • Practitioner workshop. Half day or full day deep dive for engineering and security teams. Hands on with CycloneDX, Dependency-Track, and the operational playbook.
  • Panel and fireside chat. Moderated discussion with regulators, practitioners, or customers on policy and practice.
  • Private training course. Multi-session curriculum delivered to a single organization, with pre reading, labs, and graded assessments.
Signature topics

Sessions I give most often

Each topic is available as a keynote, an executive briefing, or a workshop, and each is refreshed continuously as the underlying standards evolve.

Strategy

Illuminating transparency: the evolution of Software Bill of Materials (SBOM) and beyond

A tour of where SBOM started, where it is today, and where the standards are taking it next. Covers CycloneDX, Cryptography Bill of Materials (CBOM), Artificial Intelligence Bill of Materials (AIBOM), Operations Bill of Materials (OBOM), attestations, and the Transparency Exchange API.

Regulation

The regulatory map of 2026

The EU Cyber Resilience Act (CRA) at the center, the U.S. federal baseline that survived the 2025 EO 14144 rollback, U.S. Food and Drug Administration (FDA) premarket cybersecurity guidance, and sector specific mandates. What they require, what they actually mean for engineering, and how to stay ahead of the deadlines.

Regulation

EU Cyber Resilience Act readiness for product manufacturers

A working session on what Annex I actually requires, broken into the secure by design pillar (Part I) and the Software Bill of Materials and vulnerability handling pillar (Part II). How to evidence each obligation using OWASP SCVS, CycloneDX (ECMA-424), Vulnerability Exploitability eXchange (VEX), and Dependency-Track. Calibrated to the September 2026 vulnerability reporting deadline and the December 2027 conformity assessment deadline.

Practice

Software Bill of Materials (SBOM) quality: the five dimensions that actually matter

Most SBOMs are produced, few are useful. A practical framework for evaluating generation, completeness, accuracy, context, and freshness, and for fixing the ones that fall short.

Operations

Ten years of Dependency-Track: what the data taught us

Lessons from a decade of production component analysis. What vulnerability management has actually learned, and what is still unsolved.

Leadership

The supply chain question every board is going to ask

A briefing for non-technical leaders. What software supply chain risk is, why it is now a board concern, and the five questions directors should be asking their executive teams.

Book a session
Selected venues

Where I have recently spoken

I present regularly at global industry conferences, OWASP events, government workshops, academic programs, and private customer gatherings. Recent examples include:

  • OWASP Global AppSec, the flagship OWASP application security conference (multiple years, multiple regions)Host / Session
  • RSA Conference and ecosystem eventsSession / Panel
  • STACK ConferenceKeynote
  • Boston Application Security Conference (BASC)Keynote
  • ChiBrrCon, BSides, and regional security conferencesSession
  • Government and regulator workshops on Software Bill of Materials (SBOM) and supply chain policyBriefing
  • Private customer and partner events for enterprise technology vendorsKeynote / Session
  • University guest lectures and industry advisory boardsLecture

Inviting me to speak or train your team?

Tell me about the audience, the format, and the outcome you want attendees to leave with. I will respond with a tailored proposal, and I do read every request personally.

Submit an invitation Browse resources