A new report from the Linux Foundation shines a light on the progress and adoption of software bill of materials (SBOMs), at a time when private and public bodies alike are striving to expedite the responses to newly-discovered vulnerabilities.
An SBOM is basically machine-readable metadata that serves up the full list of “ingredients” contained in an application, detailing all the proprietary and open source libraries, modules, and APIs. Crucially, it should also highlight the relationship across all components and dependencies — with this inventory in place, it’s easier to track and trace components used through the software supply chain and identify vulnerabilities.
While SBOMs are far from the whole solution for software supply chain security, they go some way toward bringing more visibility to the mix.
The Software Bill of Materials (SBOM) and Cybersecurity Readiness report was produced by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF), OpenChain, and the Software Packet Data Exchange (SPDX). It is touted as the “first in a series of research projects” that strives to “understand the challenges and opportunities for securing software supply chains.”
The report found that 82% of those surveyed are familiar with the term SBOM, while 76% have at least some degree of SBOM “readiness.” And while just 47% were actively using (producing or consuming) SBOMs in 2021, this figure is predicted to rise to 78% in 2022 and nearly 90% by the year after.