Last week, the Linux Foundation published “The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness.” The report, based on surveys conducted during the third quarter of 2021, contains valuable data on how and why organizations are generating SBOMs.
Respondents were asked about various SBOM-related topics, including attitudes toward open-source software, the impact of the Biden Administration’s Cybersecurity Executive Order, activities for securing the software supply chain, and more.
The report presents findings from 412 organizations globally. These included businesses of all sizes (ranging from a few employees to over 15,000) and spanning various industries. (25% of participating organizations were in the IT industry, 12% automotive, 11% healthcare, and 7% manufacturing, among others.)
In this blog, we’ll explore six key takeaways from the report, including approaches to supply chain security, SBOM benefits, and more.
1. The Cybersecurity Executive Order Has Made an Impact
In May 2021, the Biden Administration released its Executive Order on Improving America’s Cybersecurity, which mandated organizations selling into the U.S. federal government to produce an SBOM to accompany all products.
While the SBOM requirement applies to only a percentage of the world’s businesses, it’s had a broad impact. According to the report, over 80% of survey respondents were aware of the executive order, and 77% were considering changes as a result. The report concludes that the executive order has been largely successful in achieving several of its key objectives.
“The high level of awareness (of the executive order) combined with the 77% who were considering changes (as a result of it) suggest that the executive order is achieving its intended results, which is to drive improvement in cybersecurity across the public and private sectors."
2. Software Supply Chain Security Requires Multiple Solutions
The Linux Foundation report addressed a pressing issue for security and development teams: how to secure the software supply chain. Survey respondents were asked to list initiatives that played a critical role in supply chain security.
Their responses reflected a core truth: A comprehensive, team-wide effort that combines processes and tooling is necessary to best protect modern software supply chains.
Specifically, respondents listed these as “key activities for securing the software supply chain”:
- Vulnerability reporting system that is low touch and can scale
- SBOMs
- Required use of two-factor authentication by developers and releasers
- Development of memory-safe applications using memory-safe programming languages
- Globally unique identification of specific software products
Other responses included static and dynamic application security tools (such as software composition analysis), peer review of source code, the use of cryptographic signatures, and verification through the use of reproducible builds.
3. Security isn’t the Only SBOM Benefit
While visibility into software supply chain threats is an important use case for a software bill of materials, it’s not the only one. SBOMs also document the relationship between various software components, open-source license data, package provenance, and more; this information equips companies with actionable data to support various initiatives.
Survey respondents cited several benefits to both generating and consuming a software bill of materials. Reported benefits of generating an SBOM included:
- 51% said producing SBOMs helps developers understand dependencies across components in an application
- 49% said SBOMs make it easier to monitor components for vulnerabilities
- 44% said generating SBOMs helps with OSS license compliance management
Reported benefits of consuming an SBOM included:
- 53% of respondents said that SBOMs help address reporting and compliance requirements
- 53% also said that SBOMs improve risk-based decision-making
- 49% said that vulnerability reporting in SBOMs helps organizations understand security exposure more quickly
4. It's Still Early in the SBOM Journey
Although the Linux Foundation survey made clear that SBOM awareness is on the rise, it also highlighted that many organizations are still early in their SBOM journeys.
For example, only 46% of respondents said their organizations were currently consuming SBOMs. Another 42% planned to start consuming SBOMs in the next 6-24 months.
The survey also revealed areas where respondents lack clarity about the future of SBOMs. 40% of respondents were “unclear” about industry commitment to SBOMs, while 39% questioned whether there was consensus on what an SBOM should contain.
It's no surprise then that a majority of respondents agreed that a stronger industry consensus would address these concerns. Specifically:
- 62% of respondents wanted better industry consensus on integrating SBOMs into DevOps processes
- 58% wanted stronger consensus on integrating SBOMs into risk and compliance processes
- 53% wanted consensus on how SBOMs will continue to improve and evolve
5. Machine-Readability and Dependency Depth Are Top SBOM Needs
Survey respondents were questioned about their top “SBOM needs” — elements and processes viewed as mission-critical parts of an effective SBOM program. This included topics like dependency depth, delivery formats, and generation frequency.
Respondents were given three possible answers for each question in this section. The most common responses included:
Machine-Readability: The most popular response was that SBOMs should be generated in a "baseline" machine-readable format such as SPDX or CycloneDX.
Dependency Depth: The consensus was that SBOMs should list all primary components with all transitive dependencies and known unknowns.
Frequency: The preference was for new SBOMs to be generated upon every code update or change.
6. Open Source is Everywhere
A variety of recent reports have highlighted the ubiquitous nature of open-source software in modern application development. The Linux Foundation survey is similar, revealing that a staggering 98% of survey respondents said their organizations used at least some open source.
40% of respondents noted that their organizations placed certain conditions on the use of open source. The most commonly cited conditions were verifying code performance, code security, and support for the code.
The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness: The Bottom Line
The Linux Foundation’s report on SBOMs and cybersecurity readiness includes new research on the Biden Administration’s Cybersecurity Executive Order, attitudes toward SBOMs, activities essential for supply chain security, and more. Overall, the results are encouraging: it’s clear organizations continue to prioritize software supply chain security, and many view SBOMs as an important ongoing or planned initiative.
However, there's room for improvement, particularly in creating and adopting industry-wide standards governing SBOM specifics (above and beyond the NTIA’s "Minimum Required Elements of a Software Bill of Materials").
A Final Note
If your organization seeks support on its SBOM journey, FOSSA can help. The Forrester Wave recently awarded us the highest possible score in its SBOM criteria, and numerous companies globally use our solutions to generate and maintain up-to-date, accurate SBOMs. Please contact our team for more information.