5 Key Insights from the Latest SBOM Adoption Research

Researchers from Northwave Cyber Security and TU Delft in the Netherlands have tackled the issue of SBOM adoption from a business stakeholder’s standpoint.
January 26, 2024

The landscape of software supply chains is getting more intricate, bringing heightened security and compliance risks. To address these risks, one effective strategy is the utilization of Software Bills of Materials (SBOMs). SBOMs are comprehensive lists detailing the components constituting a software product. They play a crucial role in enabling organizations to monitor and oversee their software dependencies.

Despite the recognized benefits, the adoption of SBOMs has been slower than expected.

Researchers from Northwave Cyber Security and TU Delft in the Netherlands have tackled the issue of SBOM adoption from a business stakeholder’s standpoint. In their recently published paper: Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach, the team of researchers — Berend Kloeg and Sjoerd Pellegrom from Northwave Cyber Security and Aaron Yi Dang and Yury Zhauniarovich from TU Delft — revealed fresh concerns and insights regarding SBOM adoption.

SBOM Adoption SWOT from the Research

You can read the entire report here.

Here is what we found very interesting:

1. Top Business Risk: Compromised Component and Slow Response

Unsurprisingly, compromised components and slow responses to vulnerabilities are recognized as the primary business risks. These have been the driving factors for SBOM adoption thus far.

50% of business-to-business (B2B) entities and 67% of Software Integrators (SI) acknowledged it as a significant concern. What caught our attention was the lack of any Software Vendors (SV) mentions regarding compromised components as a supply chain risk.

This highlights that the impetus for software supply chain risk management predominantly comes from the software consumers as opposed to software vendors.

However, focus from the Software Integrators (SI) instills optimism that the integration of SBOM as a part of procurement practices might be closer than expected.

2. Top Developer Concern: Lack of Knowledge

Initially, this insight may appear counterintuitive. The research reveals that 100% of Developer personas (“DEV”) identify the lack of knowledge and expertise as the primary hurdle toward adoption, with 67% of Software Integrators (“SI”) and 69% of all respondents concurring.

At first glance, this might seem perplexing, given the abundance of resources and tools available from CISA and open-source communities, coupled with sustained practitioner interest evident from the Google trends on SBOM.

Google Search Trend on SBOM

Nevertheless, the paper provides a plausible explanation. Only 50% of Business-to-business customers (B2B) and Software Vendors (SV) identify a lack of knowledge as the primary adoption concern. Despite the availability of easily accessible resources, the business side has outpaced the developer community in terms of SBOM knowledge and its implications. Developers are still grappling to articulate a clear benefit, resulting in a reluctance to explore the available resources.

3. Top Business Concern: SBOM Quality

The primary obstacle to SBOM adoption is seen in its limited usefulness of SBOM due to its quality, which is closely linked to the lack of knowledge.

A whopping 100% of Business-to-business customers (B2B) and 80% of developers (DEV) are in agreement that the quality of SBOM is a significant concern.

This has been a key focus for Interlynk since our beginning, and we’re committed to making strides in this area. We’re actively enhancing SBOM quality through open-source tools and incentives and leveraging AI-based commercial offerings for SBOM improvement.

4. Key Developer Concern: Vulnerability Misclassification

The misclassification of vulnerabilities, with both False Positives and False Negatives, emerges as a significant concern hindering adoption, particularly among developers.

Despite recent advancements in addressing specifications like VEX, 60% of the surveyed developers concur that the extent and accuracy of vulnerability information derived from SBOM could pose a substantial hurdle to its widespread adoption.

5. Top Business Benefit: Transparency and Vulnerability Management

According to the respondents, enhancing vulnerability management throughout the supply chain and gaining transparency into the software supply chain emerged as the top two business benefits. As anticipated, all business-to-business personas unanimously agree that vulnerability management across the supply chain will see improvement, while all software integrators express transparency as a key benefit. Developers show equal interest, with 80% acknowledging the significance of both benefits.

Here are some additional key insights from the paper:

  • System integrators and software vendors stand out as the most likely stakeholders to adopt SBOMs.
  • On the flip side, B2B customers and individual developers are the least likely stakeholders to embrace SBOMs.
  • A significant barrier revolves around the lack of clear benefits and concerns associated with SBOM adoption.
  • Further research is deemed necessary for developing standards and tools for SBOM creation and consumption.
  • The paper concludes that SBOM adoption is still in its early stages, but there is growing interest from all stakeholder groups. The authors recommend that policymakers, industry leaders, and tool vendors work together to address the challenges of SBOM adoption and make SBOMs a more widely used tool for software security.

Interlynk simplifies security disclosure, makes it straightforward, and automates the process. Feel free to contact us at hello@interlynk.io

We want to thank Yury Zhaurianovich for sharing the research and for the permission to publish our insights about the research.

Reference: https://zhauniarovich.com/publication/2024/kloeg2024charting/