The past decade has been a whirlwind for the software supply chain. As the use of open source software (OSS) has become more pronounced, more businesses than ever before are using SBOM (Software Bill of Materials) solutions in order to better manage OSS and third-party components.
An SBOM is a formal, queryable record containing the details and relationships of various components using in building software. Some SBOM elements include:
- Author and timestamp
- Component version
- Supplier information
- Unique identifiers
- SBOM part dependency relationship
Despite a mass movement to SBOM awareness and having more appreciation for open source conformance and compliance, not all industries are moving at the same pace. Some industries, like automotive, medical device manufacturers, and government sectors, are more rapidly adopting standard practices.
SBOMs When the Consequences are Truly Dire
According to research published by the Linux Foundation in 2022, roughly 78% of organizations were expected to produce an SBOM in 2022 with a higher concentration of SBOMs coming from a few fundamental sectors.
These industries typically have one thing in common; their applications have real-world consequences that impact human life. With that in mind, if anything were to go wrong, there would be a much higher level of consequence.
If a car were to “malfunction” because of an open source vulnerability while someone was driving down the road, the consequences could be disastrous. Likewise, security flaws inside insulin pumps or pacemaker programming machines could mean life or death.
There are a number of reasons why these high-risk industries are turning to SBOM solutions:
- Gravity of Impact – Industries that have an element of human risk have much more to lose than other sectors. Ensuring absolute compliance and security has to be a priority for them.
- Current Practices – Government, automotive, and medical industries already have a lot of protocols they follow to ensure safety. With these already in place, extending them to cover open source compliance and security is not as much of a large jump.
- Accountability – With more to lose, the consequences for failing to comply are much higher. As risk increases, the need to comply also steadily rises. These industries are held to more accountability because of their interaction with consumers and possible outcomes of failure.
SBOMs are vital for knowing exactly what’s inside the code these organizations either place in their applications or purchase to put in their products. Companies can eliminate manual record-keeping efforts and get full end-to-end visibility over the open source code they use. Having that insight up and down the software supply chain is even more critical. For businesses that deal with real-world risk, rapid insight into new vulnerabilities in the code they produce and/or consume has not just bottom-line impact, but life and death consequences.
The Evolution of SBOMs
Once upon a time, entire industries would shy away from using open source software. At present, this couldn’t be further from the truth. OSS has now weaved itself into sectors around the globe, forming a core part of major software deployments.
As OSS has become integral to software as a whole, the software supply chain is evolving in order to make its use as safe and secure as possible. SBOMs are a primary method of ensuring compliance and security, with their use only becoming more popular over time.
In May of 2021, the Biden administration issued an Executive Order (EO) to better secure the nation’s software supply chain. Any organization doing business with the federal government will be required to provide a software bill of materials for all software applications. The EO urged the private sector to follow suit. Since then, the federal government issued updates to the EO in its National Cybersecurity Strategy on March 2nd.
There are similar regulations happening across the globe, including multiple EU agencies taking action as well as the EU published a proposed Cyber Resilience Act aimed at safeguarding consumers and businesses using products with a software digital component.
Industries that have more to lose should be ahead of the game, having already made SBOMs a core part of their application development and any product produced and shipped to their customers. Over time, we’re likely going to see SBOMs become the go-to solution for application software inventory across all industries.
If you want to learn more about managing Open Source compliance and how the software supply chain is maturing, be sure to tune into this Revenera Open Source Exchange.
For more about SBOMs, please check out this resource.