Cloud Security Office Hours Banner

Friday, May 1, 2026 - Meeting Recap

AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy

- CSOH website overhaul, SBOMs and the EU Cyber Resilience Act, DevSecOps hiring

Quick recap. This meeting was Cloud Security Office Hours, where participants discussed recent website updates and shared insights on cloud security practices. Shawn presented new navigation and content sections on the website, including "What Is Cloud Security," learning paths, best practices, and shared responsibility models. The discussion then focused heavily on Software Bill of Materials (SBOMs), with participants sharing experiences about their implementation challenges, particularly around container images and CI/CD processes. Jay emphasized that while technical solutions exist, the main challenges lie in operationalization and organizational discipline rather than tooling. The conversation also touched on the European Cyber Resilience Act requirements and the difficulties of finding skilled professionals with both DevSecOps expertise and embedded systems experience.

2026-05SBOMSupply ChainGovernanceCommunity
Show 7 discussion topics

Cloud Security Website Updates

Shawn led a Cloud Security Office Hours meeting where he presented significant updates to the website, including improved navigation and new content sections covering cloud security basics, learning paths, best practices, and shared responsibility models. He invited attendees to review the changes and provide feedback on how to improve the site's layout and content. The meeting also included welcoming new members Nicholas, Bret, and Ilya, who shared their backgrounds and cloud security experience levels. Jay was expected to provide updates on shared responsibility developments but had not yet spoken when the transcript ended.

Cloud Computing Control and Benefits

The group discussed the balance between control and benefits in cloud computing, with Jay highlighting concerns about losing control as organizations move to cloud services. Shawn shared observations about organizations moving back to on-premises solutions while still benefiting from cloud-like infrastructure, particularly for certain applications. Dave and Neil contributed examples of technical challenges in on-premises environments, including networking issues with Windows Server 2025 and Azure Local, and Docker registry limitations. The discussion concluded with agreement that organizations are facing universal challenges around what information to expose and how to operationalize cloud services effectively.

Software Bill of Materials Evolution

Neil discussed the evolution and current state of Software Bill of Materials (SBOM) implementation, noting that while initially met with skepticism, there is now legitimate demand and usage for SBOMs in the industry. The group clarified the definition of SBOM as a listing of components and their sources within a container image, with Neil explaining its practical applications for security and compliance purposes. The discussion touched on various standards like CycloneDX and SPDX, and included a conversation about the EU Cyber Resilience Act requirements for SBOMs, with Nigel highlighting the need to enrich SBOMs with threat intelligence data for effective vulnerability management.

SBOM Implementation and Challenges

The team discussed the current state and challenges of Software Bill of Materials (SBOM) implementation, particularly in relation to vulnerability management and compliance. Jay emphasized that while regulation is still maturing, demonstrating a good faith effort often prevents enforcement action in the early stages. Neil shared his experience with container images, explaining how properly implemented SBOMs can provide valuable security assurance when combined with signed digests and read-only root file systems. The discussion highlighted that while SBOMs are useful for vulnerability scanning and providing initial context during security incidents, they must be accurately generated and maintained to remain effective, with particular attention needed to prevent environment drift that can render SBOMs inaccurate over time.

SBOM Implementation Challenges Discussion

The team discussed challenges with Software Bill of Materials (SBOM) implementation, particularly regarding version control in developer environments where dynamic version ranges (e.g., 1.x) are commonly used rather than static versions. Pavel explained that SBOM requirements are primarily focused on CI/CD stages and will become mandatory for European organizations selling digital products by December next year. The discussion highlighted a recent security concern where malicious packages were able to trick SBOM scanners by presenting fake versions, emphasizing the need for continuous monitoring and potential signing mechanisms to address these emerging threats.

DevSecOps Recruitment and Security Challenges

Pavel discussed security concerns with GitHub Actions and CI/CD pipelines, highlighting vulnerabilities in current attestation processes. Mackenzie shared her challenges in recruiting for a DevSecOps position requiring specific skills in C/C++ embedded environments, SBOM generation, and compliance with the EU Cyber Resilience Act. The group provided advice on how to approach the recruitment challenge, suggesting focusing on the organization's maturity stage and looking for specialized skills rather than trying to find a "unicorn" candidate with all required skills. Piyush raised a question about incorporating SBOM creation into the CI/CD process and potential improvements for scanning and vulnerability management.

SBOM Implementation and Security Challenges

The meeting focused on Software Bill of Materials (SBOM) implementation challenges and security practices in organizations. Jay emphasized that while SBOM tools exist, the main challenge is operationalization and enforcement rather than technical implementation. Neil suggested generating SBOMs at build time in CI/CD pipelines with proper signing and chaining of evidence. Piyush shared experiences from both Fortune 100 companies and smaller organizations, noting that centralized processes work better in smaller companies. The discussion highlighted the gap between security best practices and organizational reality, with participants agreeing that security success depends more on organizational discipline and processes than on tools or technical skills.

↑ All meeting recaps