Report Finds More Organizations Are Creating SBOMs
The idea of creating SBOMs (Software Bills of Materials) is catching on with
organizations, according to a new survey from Ponemon Institute and
Rezilion. But generating an SBOM in and of itself does not guarantee
success. Organizations need to move toward Dynamic SBOMs that use
automated features in order to provide much greater value.
Creating SBOM Success
An SBOM is a list of all the components in a given piece of software.
Software vendors oftentimes create products by assembling open source
and commercial components, and the SBOM describes these components
used in the product. It’s a formal record that contains the details and supply
chain relationships of the various components, and therefore can help
teams ensure that software is secure and reliable.
The idea of the SBOM gained a lot of attention in 2021 when an executive
order by the White House on improving the nation’s cybersecurity included
a requirement that organizations provide purchasers of software products
with an SBOM for each product directly or by publishing it on a public web
site.
The executive order directed the U.S. Department of Commerce, in
coordination with the National Telecommunications and Information
Administration (NTIA), to publish the “minimum elements” for SBOM. The
Commerce Department has noted that an SBOM “provides those who
produce, purchase, and operate software with information that enhances
their understanding of the supply chain, which enables multiple benefits,
most notably the potential to track known and newly emerged
vulnerabilities and risks.”
In these tools can be useful for teams that develop software, organizations
that buy software, and users who operate the software. For instance, it
allows developers who rely on open source and third-party components to
ensure the components are up to date. Software buyers can use SBOMs to
perform vulnerability analyses to evaluate the risk a product.
Of the 634 IT and security leaders surveyed for the Ponemon-Rezilion
report, 41% said their organization had adopted the use of SBOM. Two
thirds of the respondents said they are either very familiar or familiar with
the concept of SBOM.
Top SBOM Features
The most common features of organizations’ SBOMs are risk assessment
(cited by 56% of the respondents) and compliance with regulations (54%).
Others include supply chain security (49%), continuous updates (47%),
cost savings (44%), inventory of software assets (38%) and license
compliance (37%).
Many of the SBOMs in use today are static, so they do not easily account
for the inevitable changes that occur in the software market. A Dynamic
SBOM, on the other hand, is updated automatically whenever a release or
change occurs. They are therefore ideally suited for helping security and
development teams keep track of software and components.
While 70% of respondents said continuous automatic updates are
important or very important with SBOM, only 47% said their SBOM features
continuous updates. It’s vital that organizations research tools that provide
the capability for dynamic SBOMs that can incorporate updates
automatically as changes occur.
If they want to provide more safeguards for software, security and
development leaders and teams need to get up to speed on the idea of the
Dynamic SBOM, and adopt these resources if they haven’t already.
Download the full report today and learn more.
