Despite recent events, like the discovery of the Log4j vulnerability late last year, that have highlighted the need for companies to have insight into what open source components they are utilizing, and what versions, fewer than half of companies have a software bill of materials (SBOMs) in place.
This is according to a report by The Linux Foundation, OpenSSF, SPDX, and OpenChain titled “The State of Software Bill of Materials and Cybersecurity Readiness,” which surveyed 412 organizations globally.
A SBOM is metadata that identifies a software component and its contents that can be shared across an organization and provides transparency into software supply chains.
According to survey respondents, the top three benefits of having a SBOM include making it easier for developers to understand dependencies, monitor components for vulnerabilities, and manage license compliance.
While 82% of survey participants are familiar with SBOMs, only 47% are producing or consuming them. However, it looks like companies are starting to move in the right direction, with 78% of organizations expecting to produce or consume SBOMs this year. This would be a 66% increase from last year.
“SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022,” said Jim Zemlin, executive director at the Linux Foundation. “Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”
Many organizations are looking for a greater consensus from the industry when it comes to SBOMs. Sixty-two percent of respondents want better consensus on how to integrate SBOMs into DevOps practices, 58% want consensus on integration into risk and compliance processes, and 53% want better consensus on how SBOMs will evolve.