Software bills of materials (SBOMs) are gaining significant traction in the industry. Following an executive order from the Biden administration in May 2021, the US government now requires all federal contractors to provide SBOMs. This has led to a surge in the adoption of SBOMs, with nearly half of all companies now requiring them for any software. According to market research firm Gartner, this number is expected to reach 60% by 2025, a substantial increase from less than 5% in 2022.
Stephen Magill, vice president of product innovation at Sonatype, a software development tools firm, states that the government mandates have prompted companies to enhance their development processes and implement SBOM tools. These regulations are necessary because the industry has not fully embraced these tools, and open source software remains a significant area of risk for many organizations.
The rush to comply with the government mandate has sparked rapid evolution within the industry, as standards strive to encompass the various components used in software development. For example, the Open Web Application Security Project (OWASP) recently announced version 1.5 of its SBOM standard, CycloneDX, which now includes information on machine learning models and the quality of the SBOM.
While current SBOMs often act as simple lists of software components, the ultimate goal is to provide organizations with a way to identify and document vulnerabilities in their software. According to Thomas Pace, CEO of NetRise, an extended IoT security firm, organizations currently make decisions based on incomplete data, especially regarding devices running firmware. Once SBOMs are implemented, organizations can make data-driven decisions on the risk associated with their devices, applications, and systems.
The US government recognizes three SBOM standards that meet their minimum requirements: Software Identification (SWID) tags, the Software Package Data Exchange (SPDX), and CycloneDX. Each standard has its own nuances, but SPDX and CycloneDX have gained the most momentum. These standards enable developers and security teams to track dependencies, prioritize vulnerabilities, and make informed decisions about security and risk management.
Currently, SBOMs primarily offer visibility and awareness of software components. For example, CycloneDX SBOMs contain information on software licenses, low-code services, machine learning models, vulnerability disclosure, and annotations. Since the majority of vulnerabilities stem from indirect dependencies, rather than direct dependencies used in software creation, organizations often lack visibility into the risk associated with procured software. SBOMs aim to provide full software inventories and enhance risk management decisions.
Zach Capers, senior security analyst at Capterra, believes that SBOMs will go beyond visibility and become operationalized. Capterra’s surveys indicate that almost half of companies require SBOMs as part of their software procurement process. As SBOM adoption increases, organizations will be able to swiftly determine whether their software contains newly discovered vulnerabilities. This enhanced visibility will lead to faster response times and the implementation of appropriate security controls.
In addition to visibility and response automation, SBOMs could potentially lead to a regimen for software liability. With a comprehensive record of software components, risk measures and security controls can be linked to SBOMs, paving the way for a system of software liability.
Machine learning and automation are also expected to play a significant role in the future of SBOMs. When the Log4j vulnerabilities emerged and were exploited by attackers, organizations struggled to determine if they were using the vulnerable component. SBOMs can provide faster answers to such questions, allowing organizations to respond swiftly to known vulnerabilities. Automation can enable companies to implement compensating controls and detect traffic targeting specific devices based on available exploits.
Overall, SBOMs are experiencing a significant surge in adoption due to government mandates and increased awareness of software supply chain security. As the industry continues to evolve, SBOMs will provide enhanced visibility, facilitate better risk management decisions, and lead to faster response times in addressing vulnerabilities. The future of SBOMs may also include automation, machine learning, and the establishment of software liability regimens.