At FOSDEM 2026, I presented Deutsche Bahn’s journey from operational need to concrete implementation of large-scale SBOM collection and use. The scale is staggering: approximately 500,000 SBOMs across our software supply chain expected, covering 7,000+ IT applications, 100,000+ Open Source components, and diverse sourcing streams from software we build ourselves to what we buy and operate. The talk focused on how we moved from understanding that “we need to know, in real-time, which exact component is used where and how” to actually making this happen in an organization with 220,000+ employees and hundreds of subsidiaries.
At FOSDEM 2026, I presented Deutsche Bahn’s software supply chain strategy in the context of the EU Cyber Resilience Act (CRA), but made clear from the start that CRA was the context, not the trigger. We didn’t adopt SBOMs because of regulation – regulation validated the direction we were already taking based on operational needs. The presentation positioned our work at the intersection of CRA compliance requirements, IT operation best practices, and the practical realities of running IT infrastructure for an organization with 220,000+ employees, 7,000+ IT applications, and 100,000+ Open Source components.
At FOSS Backstage 2025 in Berlin, I explored a critical challenge facing OSPOs and development teams: as we increase analysis of our software supply chains, tools and scorecards reveal potential risks in Open Source projects like low maintenance, lack of community, or poor security practices. But this data alone doesn’t help if it merely points out potential problems without offering solutions. The question is: how should we handle this burden of knowledge? Through manual reviews? Questionnaires? Funding? Or should we look away?
I have been invited to talk about Software Bills of Materials (SBOM) in SAP’s Open Source Way Podcast, hosted by Karsten Hohage and with SAP’s Sebastian Wolf as co-guest. We had an interesting conversation about the growing importance of SBOMs in the software industry and their role within Deutsche Bahn. We also discussed the limits of SBOMs and how they can be complemented with other approaches to better understand and manage risks.
At OSPOlogy Live Frankfurt in October 2023, I gave an introduction to Software Bills of Materials (SBOMs) for the OSPO community. Everyone had heard of SBOMs by then – they seemed ubiquitous, with shiny tools sprouting up everywhere. But what were they actually all about? What were the real use cases? And what often caused practical applications to fail? This talk aimed to provide a common understanding without the marketing-speak.
At Upstream 2023, I participated in a fireside chat with Luis Villa (Tidelift) and my colleague Erik Schaufuss exploring the fascinating intersection between Software Bills of Materials (SBOMs) and Hardware Bills of Materials (HBOMs) within Deutsche Bahn’s complex supply chain. As Germany’s national railway company with hundreds of federated subsidiaries, we face unique challenges in managing both rolling stock hardware and the increasingly software-driven assets within trains. The discussion centered on how learnings from the software supply chain transparency movement – particularly around standards like CycloneDX – can inform and improve hardware supply chain management.
Im Librezoom-Podcast LZ20 mit dem Host Ralf Hersel gab ich ein Interview zur Frage, ob mehr Freiheit zu mehr Sicherheit führt – ein scheinbares Paradoxon in der IT-Sicherheitsdebatte. Viele Menschen assoziieren Sicherheit mit Kontrolle und Einschränkungen, während Freie und Open Source Software auf Offenheit setzt. In diesem Gespräch ging ich der Frage nach, warum diese scheinbare Dichotomie in der Realität keine ist und wie Freie Software tatsächlich fundamentale Voraussetzungen für echte IT-Sicherheit schafft.
Beim Winterkongress der Digitalen Gesellschaft Schweiz hielt ich einen Vortrag über den fundamentalen Zusammenhang zwischen IT-Sicherheit und Freier Software/Open Source. Die Kernthese war provokant formuliert, aber technisch begründet: Echte IT-Sicherheit ist ohne Freie Software nicht möglich. In einer Zeit, in der Cybersecurity zunehmend als kritisches Thema für Gesellschaft, Wirtschaft und Staat wahrgenommen wurde, argumentierte ich, dass proprietäre Software strukturelle Sicherheitsprobleme mit sich bringt, die nicht einfach durch bessere Praktiken gelöst werden können.
At BalCCon 2019 in Novi Sad, Serbia, I delivered a talk arguing that real IT security is fundamentally impossible without Free and Open Source Software. BalCCon (Balkan Computer Congress) brings together security researchers, hackers, and technology enthusiasts from across the Balkans and beyond, making it a perfect audience for examining the deep connections between software freedom and security. The talk challenged the common assumption that security and openness are somehow in tension, arguing instead that transparency is a prerequisite for trustworthy security.