How to strengthen Supply Chain Security: Practical Exchange and Roadmap
Join an open, practitioner-focused roundtable for direct exchange on supply chain security. This session offers a concise overview of core concepts, e.g. SBOM, CSAF, and VEX and digs into the processes behind them: how to obtain, process and apply information to improve security across the supply chain.
We will examine:
- How SBOM, CSAF and VEX relate and why version-level detail matters.
- The practical value of an SBOM and why it’s increasingly required by law and IT procurement.
- How to create and consume SBOMs?
- Methods to identify dependencies in the context of vulnerabilities.
- Approaches to triage: not all vulnerabilities affect every stakeholder equally.
- Techniques to analyze vulnerabilities and identify affected products and product families.
- Sources of vulnerability information and how to map data unambiguously to products and specific software versions.
- Reporting obligations: where and how to disclose vulnerabilities.
- Tools and automation that help manage information volume and complexity.
- Technical, organizational and personnel challenges to achieving end-to-end supply chain security.
- The role of AI in supply chain security.
- How do we protect ourselves from malicious actors / infected dependencies?
- The Cyber Resilience Act (CRA): implications for companies, products and consumers, the CRA roadmap, and concrete deadlines and actions.
- We will show a live demonstration of the whole process, e.g. covering the consumption of SBOMs, vulnerability identification and assessment, creation of VEX documents.
This roundtable is designed for security practitioners, product owners, compliance officers and decision-makers who want actionable guidance and peer discussion. Expect candid conversation, real-world examples and next steps you can take to strengthen resilience across your supply chains.
Roundtable Hosts
We are delighted to welcome the following hosts, who will share their expertise and experiences throughout the roundtable.
Dina Truxius1
Dina is a natural scientist by training with high high affinity for technology and non-standard IT. In 2018, she left academia and movied into public administration, joining the Federal Office for Information Security (BSI). Dina started with medical device cybersecurity, touched aviation security and now works in the field of industrial automation and control systems. Her main responsibilities are project management, vulnerability management, standardization, disclosure processes, and legislation. She is currently seconded to the Federal Ministry for Digitalisation and State Modernisation (BMDS) to help establish and expand the Project Management Competence Center with her expertise. There she encounters a flood of dependencies and dives into the depths and of digital projects aimed at making Germany more digital, sovereign, and resilient.
Florian von Samson2
is engaged with UNIX operating systems since 1989 and with Free / Open Source Software (FOSS) since 1990; initially while achieving his master degree in electrical engineering, later both also in professional contexts. At the end of the 1990ties he also started caring about the societal, judicial and economical aspects of FOSS and conducting discussions to that, e.g. at LinuxTag. In addition to that, in the 2000s he focused on the security of and with FOSS, as well as boot chain security by Secure / Verified Boot and Trusted / Authenticated Boot. After a 5 year long, professional stint back into the depths of electromagnetic emanations, he now contributes to suitable conditions for a thriving FOSS ecosystem, to the technical aspects of digital sovereignty, and to the technical requirements for a well working SBOM ecosystem.
Michael Schuster3
Michael studied electrical engineering in Dresden before spending several years at a systems integrator in the telecommunications sector. He now works for the German Federal Office for Information Security (BSI) in market surveillance. In this role, he is involved in the implementation of the EU Cyber Resilience Act, a regulation aimed at strengthening cybersecurity across the entire lifecycle of Products with Digital Elements. He collaborates with standards bodies and working groups to help translate regulatory obligations into practical, interoperable specifications that make compliance more accessible for all stakeholders.
Stefan Fleckenstein4
After working as a software engineer and architect, cyber security became one of Stefan’s focal points, being the CISO of a software development company and being the founder of their cyber security division, advising customers on all matters relating to security. Since 2026 Stefan is the CISO of Stackable, where Stefan is responsible for leading the company to the ISO 27001 certification and the security of the product, an open source data platform. In addition to his day job, Stefan is the creator and maintainer of SecObserve, an open source vulnerability management system.
Lars Franke5
Lars Francke has been working in the Big Data space for over ten years, as a consultant, and as a committer on projects like Apache HBase and Apache Hive. In that time he’s seen firsthand how open source data stacks get deployed, maintained, and occasionally broken in production across a wide range of organizations. He is Co-Founder and CTO at Stackable, and he wants to talk about what supply chain security actually looks like when you’re operating complex, layered open source infrastructure, and where the real problems tend to hide.
- Federal Ministry for Digitalisation and State Modernisation (BMDS)↩︎
- Technical Lead for SBOMs and Digital Souverainity at German Federal Office for Information Security (BSI)↩︎
- Referat S 15 – Marktaufsicht, German Federal Office for Information Security (BSI)↩︎
- Chief Information Security Officer (CISO) at Stackable↩︎
- CTO & Co-Founder of Stackable↩︎