5 Key Insights from the Latest SBOM Adoption Research
Jan 26, 2024
Interlynk
The landscape of software supply chains is increasingly complex, leading to greater security and compliance risks. One effective way to address these challenges is through Software Bills of Materials (SBOMs) — comprehensive lists detailing all components of a software product. These help organizations gain visibility into dependencies and better manage their software supply chain.
Despite their value, SBOM adoption is progressing slower than anticipated.
Researchers from Northwave Cyber Security and TU Delft examined SBOM adoption through a business-stakeholder lens. Their paper, Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach, provides fresh insights into the barriers and opportunities surrounding SBOM use.
Top Business Risk: Compromised Components & Slow Vulnerability Response
Compromised components and delayed vulnerability response time are seen as the primary business risks driving SBOM adoption.
50% of B2B organizations
67% of Software Integrators (SI)
…highlighted this as a major concern.
Interestingly, Software Vendors (SV) did not cite compromised components as a risk — signaling that SBOM demand is primarily driven by software consumers, not creators.
However, increasing attention from System Integrators suggests that SBOM integration into procurement workflows may come sooner than expected.
Top Developer Concern: Lack of Knowledge
A notable finding: 100% of developers (DEV) stated that a lack of knowledge and expertise is the biggest barrier to adopting SBOMs.
This is counterintuitive given the availability of:
Resources from CISA
Open-source communities like SPDX and CycloneDX
Growing public interest (as seen in Google Trends)
But the paper explains that while business teams now understand SBOM expectations better, developers struggle to see clear, direct benefits, reducing motivation to explore the available resources.
Top Business Concern: SBOM Quality
Poor SBOM quality is recognized as the major obstacle to adoption.
100% of B2B respondents
80% of developers
…pointed to SBOM quality as a significant issue.
Since SBOM usefulness depends heavily on its completeness and accuracy, improvements in quality are essential. Interlynk has been focusing on this via:
Open-source tooling
SBOM benchmarking incentives
AI-driven SBOM enhancement solutions
Key Developer Concern: Vulnerability Misclassification
Developers also worry about vulnerability misclassification — including false positives and false negatives.
Despite improvements in frameworks like VEX,
60% of developers consider inaccurate vulnerability data a significant barrier to SBOM adoption.
Top Business Benefits: Transparency & Better Vulnerability Management
Respondents highlighted two strong SBOM benefits:
1. Improved vulnerability management across the supply chain
2. Greater transparency into software dependencies
Stakeholder-specific insights:
B2B: unanimous agreement on improved vulnerability management
System Integrators: emphasize transparency as the main value
Developers: 80% value both equally
Additional Key Findings
System Integrators and Software Vendors are the most likely early adopters.
B2B customers and individual developers are the least likely.
Many stakeholders still lack clarity on SBOM benefits and concerns.
More work is needed on standards, tools, and usability for SBOM generation and consumption.
SBOM adoption is still in its early stages, but interest is rising.
Policymakers, industry leaders, and tool vendors must collaborate to accelerate adoption.
How Interlynk Helps
Interlynk streamlines and automates security disclosures using open-source tooling and AI-powered solutions to improve SBOM quality and enhance vulnerability insights.
📩 For more information: hello@interlynk.io
Acknowledgment
Thank you to Yury Zhauniarovich for sharing the research and granting us permission to publish our insights.
🔗 Reference:
https://zhauniarovich.com/publication/2024/kloeg2024charting/
TABLE OF CONTENT