Last week, the Linux Foundation published “The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness.” The report, which is based on surveys conducted during the third quarter of 2021, contains a treasure trove of data on how and why organizations are generating a software bill of materials
Respondents were asked about a variety of SBOM-related topics, including attitudes toward open source software, the impact of the Biden Administration’s Cybersecurity Executive Order, activities for securing the software supply chain, and more.
The report presents findings from 412 organizations across the globe. Businesses of all sizes (ranging from a few employees to over 15,000) were represented, as were a variety of industries. (25% of participating organizations were in the IT industry, 12% automotive, 11% healthcare, and 7% manufacturing, to name a few.)
In this blog, we’ll explore six key takeaways from the report, including approaches to supply chain security, SBOM benefits, and more.
1. The Cybersecurity Executive Order Has Made an Impact
In May 2021, the Biden Administration released its Executive Order on Improving America’s Cybersecurity. One of the executive order’s key provisions mandated organizations selling into the U.S. federal government to produce an SBOM to accompany all products.
But while the SBOM requirement applies to only a percentage of the world’s businesses, it’s had a relatively broad impact. Per the report, over 80% of survey respondents were aware of the executive order, and 77% were considering changes as a result of it. Based on these findings, the report concludes that the executive order has been largely successful in achieving several of its key objectives.
“The high level of awareness (of the executive order) combined with the 77% who were considering changes (as a result of it) suggest that the executive order is achieving its intended results, which is to drive improvement in cybersecurity across the public and private sectors."
2. Software Supply Chain Security Requires Multiple Solutions
The Linux Foundation report addressed one of the pressing issues facing security and development teams today: how to secure the software supply chain. Survey respondents were asked to list initiatives that played a critical role in supply chain security.
Their responses reflected a core truth: A comprehensive, team-wide effort that combines processes and tooling is necessary to best protect modern software supply chains.
Specifically, respondents listed the following as “key activities for securing the software supply chain”:
- Vulnerability reporting system that is low touch and can scale
- Required use of two-factor authentication by developers and releasers
- Development of memory-safe applications using memory-safe programming languages
- Globally unique identification of specific software products
Other responses included static and dynamic application security tools (such as software composition analysis), peer review of source code, the use of cryptographic signatures, and verification through the use of reproducible builds.
3. Security isn’t the Only SBOM Benefit
While visibility into software supply chain threats is an important use case for a software bill of materials, it’s not the only one. SBOMs also document the relationship between various software components, open source license data, package provenance, and more; this information equips companies with actionable data to support a variety of initiatives.
Survey respondents cited several benefits to both generating and consuming a software bill of materials. Reported benefits of generating an SBOM included:
- 51% said producing SBOMs help developers understand dependencies across components in an application
- 49% said SBOMs make it is easier to monitor components for vulnerabilities
- 44% said generating SBOMs help with OSS license compliance management
Reported benefits of consuming an SBOM included:
- 53% of respondents said that SBOMs help address reporting and compliance requirements
- 53% also said that SBOMs improve risk-based decision-making
- 49% said that vulnerability reporting in SBOMs helps organizations understand security exposure more quickly
4. It's Still Early in the SBOM Journey
Although the Linux Foundation survey made clear that SBOM awareness is on the rise, it also shed light on the fact that many organizations are still early in their SBOM journeys.
For example, only 46% of respondents said their organizations were currently consuming SBOMs. Another 42% said their organizations planned to start consuming SBOMs in the next 6-24 months.
The survey also revealed several areas where respondents lack clarity about the future of SBOMs. 40% of respondents said they were “unclear” about industry commitment to SBOMs, while 39% questioned whether there was a consensus around what, exactly, an SBOM should contain.
It’s no surprise, then, that a majority of respondents agreed that a stronger industry consensus would address these concerns. Specifically:
- 62% of respondents wanted better industry consensus on integrating SBOMs into DevOps processes
- 58% wanted stronger consensus on integrating SBOMs into risk and compliance processes
- 53% wanted consensus on how SBOMs will continue to improve and evolve
5. Machine-Readability and Dependency Depth Are Top SBOM Needs
Survey respondents were asked about their top “SBOM needs” — elements and processes viewed as mission-critical parts of an effective SBOM program. This included topics like dependency depth, delivery formats, and generation frequency.
Respondents were given three possible answers for each question in this section. Below are the most common responses for several topics.
Machine-Readability: The most popular response was that SBOMs should be generated in a "baseline" machine-readable format such as SPDX, CycloneDX, or SWID Tag. (For reference: The second possible answer was that SBOMs should be generated in "all" machine-readable formats. The third was that a simple CSV would suffice.)
Dependency Depth: The most popular response was that SBOMs should list all primary components with all transitive dependencies and known unknowns. (For reference: The second possible answer was that SBOMs should list all primary components and all transitive dependencies, with no known unknowns. The third was that primary components with direct dependencies and known unknowns would suffice.)
Frequency: The most popular response was that new SBOMs should be generated upon every code update or change. (The second possible answer was that new SBOMs should be generated upon every code update or change and that old versions should be archived for reference. The third was that SBOMs only need to be generated at the time of purchase/upon request.)
6. Open Source is Everywhere
A variety of recent reports have highlighted the ubiquitous nature of open source software in modern application development, and the Linux Foundation survey is no different. Still, the specific numbers in the “The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness” were somewhat eye-opening. A staggering 98% of survey respondents said their organizations used at least some open source.
40% of respondents said that their organizations did assign certain conditions to the use of open source. The most commonly cited conditions were verifying code performance, verifying code security, and verifying support for the code.
The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness: The Bottom Line
The Linux Foundation’s report on SBOMs and cybersecurity readiness includes new research on the impact of the Biden Administration’s Cybersecurity Executive Order, attitudes toward SBOMs, activities paramount to supply chain security, and more. Overall, the results are encouraging: it’s clear organizations are continuing to prioritize software supply chain security, and many view SBOMs as an important ongoing or planned initiative.
Yet, it’s also apparent that there’s plenty of room for improvement, especially in the creation and adoption of industry-wide standards governing SBOM specifics (above and beyond the NTIA’s “Minimum Required Elements of a Software Bill of Materials”).
A Final Note
If your organization is looking for support on its SBOM journey, FOSSA can help. The Forrester Wave recently awarded us the highest possible score in its SBOM criteria, and numerous companies across the globe use our solutions to generate and maintain up-to-date, accurate SBOMs. Please contact our team for more information.