2022 was the year of the SBOM…and 2023 will be, too
2022 was the year of the rise of the SBOM. This time of year, we take a look back at the havoc wreaked by breaches–that occurred in 2021 and earlier. The fallout from SolarWinds and Kaseya cyberattacks continued into 2022, which poignantly illustrated how vulnerable the software supply chain is.
The Log4j open-source vulnerability at the end of 2021 further illuminated the need for visibility around hard-to-find flaws.
These high-profile breaches led the White House to issue an administrative directive last year requiring an SBOM for third parties to work with federal agencies along with a timeline and security measures for critical software use. If you’re not familiar with an SBOM by now, it is an inventory of “ingredients” used in an application, including dependencies of dependencies, open-source libraries and third-party components.
Open Source Software and Supply Chain in 2022
Not surprisingly, 2022 brought a slew of new security vulnerabilities while many organizations continued to suffer the consequences of Log4j activity. But even as the SolarWinds and Log4j incidents served as wake-up calls about the implications of exposure to third-party applications, open-source repositories remain enticing targets for exploitation.
The numbers speak volumes. Software supply chain failures related to open-source components increased by a whopping 650% between 2020 and 2021. Further, cybercrime cost the world a projected $7 trillion this year.
So it may not be a coincidence that 77% of organizations reported a wider adoption of open-source software during the year.
Meanwhile, the Cybersecurity Infrastructure Security Agency (CISA) released a Government Binding Operational Directive (BOD), aimed at improving asset visibility and vulnerability detection on federal networks. The mandate requires agencies to perform automated asset discovery every seven days and to identify and report suspected vulnerabilities on those assets every 14 days.
Although it doesn’t explicitly direct the creation of an SBOM, establishing one is essentially required to will carry out the mandate.
The Case For Making SBOMs a Top Priority in 2023
Open source code is now ubiquitous. Some 97% of codebases contained open source in 2022, according to the latest Synopsis Open Security and Risk Analysis report. Understanding and awareness of SBOMs grew significantly in 2022 and use of them is expected to continue.
And it must. Deploying tools like SBOMs and software composition analysis (SCA) throughout the SDLC can help avert further risk of Log4j and track where open-source components are being used.
This ensures that everyone within the supply chain is getting trustworthy apps built on secure and reliable code. That’s important because trust in apps is not a given any longer, as the federal government’s EO illustrated. Even if your organization doesn’t do business with the federal government, it’s only a matter of time before SBOMs become mandatory in the private sector.
In fact, Gartner is projecting by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice. That reflects an increase of less than 20% in 2022.
In an ideal world, developers check their code to ensure there are no errors or coding mistakes. But with a plethora of open source, proprietary, and third party components used on applications, visibility can be limited.
According to a survey from the Linux Foundation, the benefits of implementing SBOMs are not limited to security:
- 51% of respondents said producing SBOMs helps developers understand dependencies across components in an application
- 49% said SBOMs make it easier to monitor components for vulnerabilities
- 44% said generating SBOMs helps with OSS license compliance management
So why not do what you can to mitigate security risk in your products and the supply chain. Why not take a page from the federal government’s book and make implementing SBOMs a priority in 2023.
How Rezilion Can Help You Make 2023 The Year of the SBOM
With our Dynamic SBOM, discovery, prioritization, and auto remediation capabilities, Rezilion makes it easier for teams to see, manage, and eliminate software vulnerabilities in real time.
With Rezilion’s platform you can:
- Inventory all of your software components with a Dynamic Software Bill of Materials (SBOM).
- Pinpoint specific vulnerabilities and know if they’re exploitable in your environment.
- Filter out the noise from scan results to focus on what matters, fast.
- Build smart remediation plans that make it easy to eliminate multiple problems at once.
Book at demo and see it in action today.