The Software Bill of Materials (SBOM) is a list of components that can be used to identify any documented vulnerability associated with the enumerated dependencies. Analogies have been made to safety, as with materials safety data sheets, or with allergens listed in general nutrition labels. How can such a simple document play a role in securing the software supply chain? We argue that SBOMs have the potential to significantly resolve the security lemons problem. I introduce the SBOM and illustrate how it can be used to support decision-making in procurement and in code development. I frame this argument using summaries of empirical results; first showing that information in SBOMs aligns with purchaser interest. Second, we illustrate that SBOM contains data that purchasers of software find important. This implies that developers may have an incentive to use SBOMs to create more secure code. Third, we step back and discuss consumer preferences. If the lemons market were resolved, would consumers pay for security? We close with a quick summary of results showing that security-aware consumers will pay more for security in this case leveraging the U.S. Cyber Trust mark.

Japan AI Safety Institute(J-AISI) is an organization to study and promote evaluation methods and standards for AI safety in order to realize safe, secure, and reliable AI. To ensure AI safety, it is considered important to address security measures in adversarial manners. J-AISI has issued a red teaming guide with a risk-based methodology and countermeasures incorporating different perspectives of a wide range of stakeholders such as attackers and defenders. Summary of the guide will be introduced with a sample practice as an example.