Getting Real with the Supply Chain: From SBOM Data to Action

Date:

17 March 2026

Type:

Presentation

Tags:

OSPO SupplyChain DeutscheBahn

RSS Feed:

Cornelius Schumacher and Max Mehl giving the presentation at FOSS Backstage 2026. It's a total view of the auditorium from the back, with the two speakers on stage and the final slide in the background.

Watch Recording View Slides FOSS Backstage 2026

At DB, we handle 100,000+ SBOMs per day. For our small, virtual Open Source Program Office (OSPO), the challenge is not to get lost in the data, but to cut through the jungle and identify real risks. Together with my OSPO colleague Cornelius Schumacher, I presented this challenge at the FOSS Backstage conference in Berlin. We explained how we gather data, generate insights, and take action.

This talk was partly inspired by my earlier FOSDEM talks (here and there), where I focused on DB’s SBOM program and its tools. In this presentation, however, we highlighted what can be learned from it for professional Open Source management.

One topic stood out throughout the presentation: the need for an OSPO to balance between people, value, and risk. None of these should dominate, even though governance functions often tend to focus on risk. Instead, Cornelius and I advocated for a risk-based approach to managing Open Source.

Comments

Comments are only visible with JavaScript enabled. They are dynamically loaded from Mastodon. The code to display the comments is Free Software and completely transparent.

Getting Real with the Supply Chain: From SBOM Data to Action

Related Posts

25 March 2026

Software-Lieferketten bei der Deutschen Bahn

1 February 2026

Deutsche Bahn’s Approach to Large-Scale SBOM Collection and Use

31 January 2026

Software Supply Chain Strategy at Deutsche Bahn

Comments