OpenSSF Community Day North America 2026

Software supply chain risk assessments increasingly rely on Software Bill of Materials (SBOMs), yet their practical value is often tested under severe time constraints. In Mergers and Acquisitions (M&A) due diligence, Application Security (AppSec) teams are frequently required to assess large codebases and their third-party dependencies within days or weeks, where the goal is informed risk visibility rather than exhaustive remediation.

This talk presents a practitioner’s perspective on using SBOMs to prioritize software supply chain risk under tight M&A timelines. Drawing from real-world due-diligence engagements, it explores how AppSec teams analyze SBOMs to identify high-impact dependencies, assess transitive risk, and correlate vulnerability intelligence with open-source license obligations that may influence post-acquisition risk.

The session also addresses common challenges such as incomplete SBOMs, noisy vulnerability data, unclear license declarations, and limited exploit or usage context. The emphasis is on practical, risk-based prioritization techniques and legal-safe framing of findings.

Attendees will leave with practical guidance on using SBOMs as a decision-support mechanism, rather than just as compliance artifacts.