Dale Peterson talks with Matt Wyckhouse, Founder and CEO, of Finite State about where the SBOM products and market is today and where it will go in the future. This discussion was informed by the SBOM Challenge at S4x23.

• Who is the primary buyer of SBOM products and services today? (Hint: Matt thinks that 80% of the code in a product is third party)
• How accurate are the products, and the Finite State product in particular, in creating a SBOM?
• How much is the value of a SBOM degraded if it is not perfect? If it is missing software or has inaccuracies?
• Are the offerings now a product? A semi-custom service that uses a developed product? (with an apt comparison to the detection market)
• What will the US Government do with all these SBOMs if they actually get them? If they get an exponential increase in software inventory and the patching and cyber maintenance burden.
• Will there be a separate/distinct OT SBOM market? Will there be a SBOM market in the long run or will it get subsumed in some sort of asset management market?
• Early thoughts on the SBOM marketplace (a place to collect and distribute and respond to queries on SBOMs)
• Where is the industry / products now on VEX?
• Do configuration files belong in a SBOM?
• Surprise data points from the SBOM Challenge