The landscape of software supply chains is getting more intricate, bringing heightened security and compliance risks. To address these risks, one effective strategy is the utilization of Software Bills of Materials (SBOMs). SBOMs are comprehensive lists detailing the components constituting a software product. They play a crucial role in enabling organizations to monitor and oversee their software dependencies.
Despite the recognized benefits, the adoption of SBOMs has been slower than expected.
Researchers from Northwave Cyber Security and TU Delft in the Netherlands have tackled the issue of SBOM adoption from a business stakeholder’s standpoint. In their recently published paper: Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach, the team of researchers — Berend Kloeg and Sjoerd Pellegrom from Northwave Cyber Security and Aaron Yi Dang and Yury Zhauniarovich from TU Delft — revealed fresh concerns and insights regarding SBOM adoption.
You can read the entire report here.
Here is what we found very interesting:
Unsurprisingly, compromised components and slow responses to vulnerabilities are recognized as the primary business risks. These have been the driving factors for SBOM adoption thus far.
50% of business-to-business (B2B) entities and 67% of Software Integrators (SI) acknowledged it as a significant concern. What caught our attention was the lack of any Software Vendors (SV) mentions regarding compromised components as a supply chain risk.
This highlights that the impetus for software supply chain risk management predominantly comes from the software consumers as opposed to software vendors.
However, focus from the Software Integrators (SI) instills optimism that the integration of SBOM as a part of procurement practices might be closer than expected.
Initially, this insight may appear counterintuitive. The research reveals that 100% of Developer personas (“DEV”) identify the lack of knowledge and expertise as the primary hurdle toward adoption, with 67% of Software Integrators (“SI”) and 69% of all respondents concurring.
At first glance, this might seem perplexing, given the abundance of resources and tools available from CISA and open-source communities, coupled with sustained practitioner interest evident from the Google trends on SBOM.
Nevertheless, the paper provides a plausible explanation. Only 50% of Business-to-business customers (B2B) and Software Vendors (SV) identify a lack of knowledge as the primary adoption concern. Despite the availability of easily accessible resources, the business side has outpaced the developer community in terms of SBOM knowledge and its implications. Developers are still grappling to articulate a clear benefit, resulting in a reluctance to explore the available resources.
The primary obstacle to SBOM adoption is seen in its limited usefulness of SBOM due to its quality, which is closely linked to the lack of knowledge.
A whopping 100% of Business-to-business customers (B2B) and 80% of developers (DEV) are in agreement that the quality of SBOM is a significant concern.
This has been a key focus for Interlynk since our beginning, and we’re committed to making strides in this area. We’re actively enhancing SBOM quality through open-source tools and incentives and leveraging AI-based commercial offerings for SBOM improvement.
The misclassification of vulnerabilities, with both False Positives and False Negatives, emerges as a significant concern hindering adoption, particularly among developers.
Despite recent advancements in addressing specifications like VEX, 60% of the surveyed developers concur that the extent and accuracy of vulnerability information derived from SBOM could pose a substantial hurdle to its widespread adoption.
According to the respondents, enhancing vulnerability management throughout the supply chain and gaining transparency into the software supply chain emerged as the top two business benefits. As anticipated, all business-to-business personas unanimously agree that vulnerability management across the supply chain will see improvement, while all software integrators express transparency as a key benefit. Developers show equal interest, with 80% acknowledging the significance of both benefits.
Here are some additional key insights from the paper:
Interlynk simplifies security disclosure, makes it straightforward, and automates the process. Feel free to contact us at hello@interlynk.io
We want to thank Yury Zhaurianovich for sharing the research and for the permission to publish our insights about the research.
Reference: https://zhauniarovich.com/publication/2024/kloeg2024charting/