Viktor Petersson: SBOMs, Supply Chains, and the Reality of Software Transparency

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Viktor Petersson, founder of SBOMify and co-founder and CEO of Screenly.

Viktor has spent years building real-world systems at the intersection of hardware, cloud, and security—from early Raspberry Pi-based digital signage through to globally deployed platforms used by organisations like NASA and Capital One. More recently, he’s focused on one of the most talked-about—and misunderstood—areas in modern software: Software Bills of Materials (SBOMs).

The conversation explores why SBOMs have suddenly become a regulatory and industry focus, whether they actually solve the problems they claim to, and what it really means to understand what’s inside the software we run.

Along the way, Rob and Viktor dive into:

• What an SBOM actually is—and why it’s often misunderstood as just “a file”
• Why software supply chain transparency is much harder than it sounds
• The gap between regulatory intent and engineering reality
• Why generating SBOMs is easy—but making them useful is not
• The problem of incomplete, inaccurate, or outdated dependency data
• How transitive dependencies create hidden and compounding risk
• Why most organisations don’t actually know what’s in their software
• The difference between compliance-driven SBOMs and operationally useful ones
• Why “perfect visibility” is probably unattainable—and what to do instead
• How SBOMs intersect with vulnerability management and incident response
• The role of tooling, automation, and standards in making SBOMs usable
• Whether SBOMs reduce risk—or just make it more visible
• How supply chain security is evolving alongside AI-generated code

sbomify
https://sbomify.com
Platform focused on generating, managing, and operationalising Software Bills of Materials.

Screenly
https://www.screenly.io
Digital signage platform originally built on Raspberry Pi, now deployed globally across enterprise environments.

Software Bill of Materials (SBOM)
A structured representation of the components, libraries, and dependencies that make up a piece of software.

Software Supply Chain Risk
Risks arising from dependencies on external code, including vulnerabilities, maintainership gaps, and compromised packages.

Transitive Dependencies
Dependencies of dependencies, which often introduce hidden complexity and risk.

SBOM Accuracy & Freshness Problem
The challenge of keeping SBOMs up to date and reflective of real-world deployed systems.

Compliance vs Operational Security
The difference between producing artefacts to satisfy regulators and actually improving security posture.

Vulnerability Management Integration
Using SBOMs as input into processes that identify, prioritise, and remediate security vulnerabilities.

AI-Generated Code Risk
The increasing difficulty of understanding software composition as AI accelerates code generation and reuse.