Software supply chain risk assessments increasingly rely on Software Bill of Materials (SBOMs), yet their practical value is often tested under severe time constraints. In Mergers and Acquisitions (M&A) due diligence, Application Security (AppSec) teams are frequently required to assess large codebases and their third-party dependencies within days or weeks, where the goal is informed risk visibility rather than exhaustive remediation. This talk presents a practitioner’s perspective on using SBOMs to prioritize software supply chain risk under tight M&A timelines. Drawing from real-world due-diligence engagements, it explores how AppSec teams analyze SBOMs to identify high-impact dependencies, assess transitive risk, and correlate vulnerability intelligence with open-source license obligations that may influence post-acquisition risk. The session also addresses common challenges such as incomplete SBOMs, noisy vulnerability data, unclear license declarations, and limited exploit or usage context. The emphasis is on practical, risk-based prioritization techniques and legal-safe framing of findings.
