The state of software bill of materials: SBOM growth could bolster software supply chains

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

A new report from the Linux Foundation shines a light on the progress and adoption of software bill of materials (SBOMs), at a time when private and public bodies alike are striving to expedite the responses to newly-discovered vulnerabilities.

An SBOM is basically machine-readable metadata that serves up the full list of “ingredients” contained in an application, detailing all the proprietary and open source libraries, modules, and APIs. Crucially, it should also highlight the relationship across all components and dependencies — with this inventory in place, it’s easier to track and trace components used through the software supply chain and identify vulnerabilities.

While SBOMs are far from the whole solution for software supply chain security, they go some way toward bringing more visibility to the mix.

The Software Bill of Materials (SBOM)and Cybersecurity Readiness report was produced by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF), OpenChain, and the Software Packet Data Exchange (SPDX). It is touted as the “first in a series of research projects” that strives to “understand the challenges and opportunities for securing software supply chains.”

The report found that 82% of those surveyed are familiar with the term SBOM, while 76% have at least some degree of SBOM “readiness.” And while just 47% were actively using (producing or consuming) SBOMs in 2021, this figure is predicted to rise to 78% in 2022 and nearly 90% by the year after.

Although the survey was limited to just 412 organizations, it was fairly broad insofar as it was conducted in seven languages, and was targeted at technology professionals spanning enterprises, vendors, solutions and service providers, and public sector bodies — as well as Linux Foundation community members.

Don’t drop the SBOM

Keeping an accurate record of exactly what’s in your tech stack — down to each component — is one way to address growing concerns around security in the software supply chain. With supply chain attacks growing by a reported 300% in 2021, companies understandably become concerned when they discover that pervasive software libraries such as Log4j are found to contain a previously unknown — and easy-to-exploit — vulnerability.

The problem, ultimately, is that while an open source maintainer can issue a quick and “easy” fix to a vulnerability, the sheer ubiquity of a software component across cloud services, applications, and infrastructure can make it incredibly difficult to deploy an update quickly enough. But more than that, they might not even know that their software contains that component in the first place. And if they don’t know, how can they remedy it?

This is where a SBOM can help. While SBOMs are not a new concept, they have received much attention over the past year after U.S. President Biden issued an executive order in May outlining measures to improve the nation’s cybersecurity in the wake of the SolarWinds attacks. One of the stipulations of the order was to secure open source software used within federal information systems was, which included:

… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.

To achieve this, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.

‘No longer optional’

A clear takeaway from the report is that SBOMs will likely become more commonplace as organizations bolster their defenses against future (and existing) vulnerabilities in the software supply chain.

Back in September, SPDX became an internationally recognized standard for SBOMs, though it had already emerged as the de facto SBOM for companies such as Microsoft, Intel, and VMware. Receiving the official rubberstamp of the International Organization for Standardization (ISO) puts SPDX in a strong position moving forward, as it makes it easier to adopt by any organization or government.

“SBOMs are no longer optional,” Linux Foundation executive director Jim Zemlin said in a statement. “Businesses accelerating SBOM adoption following the publication of the new ISO standard, or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”

The Software Bill of Materials (SBOM)and Cybersecurity Readiness report can be read in full here.