The Linux Foundation, the nonprofit organization enabling mass innovation through open source, in partnership with OpenSSF, SPDX, and OpenChain, today announced the availability of the first in a series of research projects to understand the challenges and opportunities for securing software supply chains. “The State of Software Bill of Materials and Cybersecurity Readiness” reports on the extent of organizational SBOM readiness and adoption tied to cybersecurity efforts. The study comes on the heels of both the U.S. Administration’s Executive Order on Improving the Nation’s Cybersecurity and the recent White House Open Source Security Summit. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate response to newly discovered software vulnerabilities.
“SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022,” said Jim Zemlin, executive director at the Linux Foundation. “Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”
An SBOM is formal and machine-readable metadata that uniquely identifies a software component and its contents; it may also include copyright and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy.
Key findings from survey participants analyzed for the report include:
- 82% are familiar with the term Software Bill of Materials (SBOM)
- 76% are actively engaged in addressing SBOM needs
- 47% are producing or consuming SBOMs
- 78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year
Survey participants also revealed their top three benefits for producing SBOMs:
- 51% say it’s easier for developers to understand dependencies across components in an application
- 49% state it’s easier to monitor components for vulnerabilities
- 44% noted it’s easier to manage license compliance.
Linux Foundation researchers also revealed that additional industry consensus and government policy will help drive SBOM adoption and implementation. The researchers noted:
- 62% are looking for better industry consensus on how to integrate the production/consumption of SBOMs into their DevOps practices
- 58% want consensus on integration of SBOMs into their risk and compliance processes. 53% desire better industry consensus on how SBOMs will evolve and improve
- 80% of organizations worldwide are aware of the White House Executive Order on improving cybersecurity
- 76% are considering changes as a direct consequence of the Executive Order
Finally, research participants revealed their top attributes used to prioritize which open source software components would be used by developers: security ranked highest, followed by license compliance.
Linux Foundation Research conducted this worldwide empirical research into organizational SBOM readiness and adoption in the third quarter of 2021. A total of 412 organizations from around the world participated in the 65-question survey. The Report is authored by Stephen Hendrick, vice president of Research at the Linux Foundation. The Linux Foundation has also prioritized research to aid collective understanding of the scope of cybersecurity challenges with the first in a series of core research projects to explore important issues related to implementing cybersecurity best practices and standards adoption, beginning with this study of SBOM readiness.
The Linux Foundation supports numerous open source SBOM and security-related programs, including Open Source Security Foundation (OpenSSF), SPDX (ISO/IEC 5962), sigstore, Let’s Encrypt, in-toto, The Update Framework (TUF), Uptane, and OpenChain (ISO 5230).
- Download the The State of Software Bill of Materials and Cybersecurity Readiness report
- Attend our webinar Understanding The Role Of Software Bill Of Materials In Cybersecurity Readiness on Tuesday, February 1st
- Join one of six OpenSSF working groups to help improve open source security
- Read about SPDX as the ISO standard for SBOMs
- Access free training on generating a free software bill of materials
- Get certified as a secure software development professional
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.