Supply chain worries drive adoption of SBOMs

Concerns around supply chain security, partly driven by President Biden's Executive Order on Improving the US' Cybersecurity, are leading to increased adoption of software bills of materials (SBOM).

Research from Sonatype surveyed over 200 IT directors in the US and UK at businesses with over $50 million revenue and finds 76 percent of enterprises have adopted SBOMs since the order's introduction.

Another 16 percent plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture. Of the three-quarters of companies with SBOMs in place, only four percent adopted them over three years ago, demonstrating how much practices have evolved since the order.

SBOMs are also becoming a key procurement requirement. Some 60 percent of respondents currently mandate that the businesses they work with maintain an SBOM and 37 percent say they will do so in the future, suggesting proper software hygiene is becoming increasingly tied to commercial opportunities.

"While it's good to finally see widespread adoption of SBOMs, it's equally concerning to see nearly a quarter have yet to implement them," says Brian Fox, CTO and co-founder at Sonatype. "It echoes our research findings last year showing many organizations are a lot farther behind on software supply chain management than they think they are. SBOMs are just 'step one' to cyber resilience -- there's a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you’re not at that first step yet, you're going to fall behind."

Respondents are increasingly investing in other technologies to improve software supply chain management too. These include vulnerability scanning (30 percent), software composition analysis (24 percent), supply chain automation (23 percent), threat intelligence (22 percent), and bug bounty programs (20 percent). The regulation has also fueled investment in skills and operations like employee training and awareness (26 percent), recruiting developer talent (21 percent), and processes to assess supply chain risks (24 percent).

But despite SBOMs' contribution to good software hygiene some companies still lag behind. Of the 24 percent of respondents yet to adopt SBOMs, 49 percent attribute this to being unsure how to implement them; 47 percent are unsure of their benefits; 43 percent have cost concerns; and 32 percent lack team resources, underscoring how the global cybersecurity skills crisis is hampering defense strategies.

You can find out more on the Sonatype site.

Image credit: Momius/depositphotos.com