78% of organizations expect to produce or consume SBOMs in 2022

The Linux Foundation announced the availability of the first in a series of research projects to understand the challenges and opportunities for securing software supply chains. The research reports on the extent of organizational Software Bill of Materials (SBOM) readiness and adoption tied to cybersecurity efforts.

“SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022,” said Jim Zemlin, executive director at the Linux Foundation.

“Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”

An SBOM is formal and machine-readable metadata that uniquely identifies a software component and its contents; it may also include copyright and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy.

SBOM readiness and adoption

• 82% are familiar with the term Software Bill of Materials (SBOM)
• 76% are actively engaged in addressing SBOM needs
• 47% are producing or consuming SBOMs
• 78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year

Top three benefits for producing SBOMs

• 51% say it’s easier for developers to understand dependencies across components in an application
• 49% state it’s easier to monitor components for vulnerabilities
• 44% noted it’s easier to manage license compliance.

Additional industry consensus and government policy will help drive SBOM adoption and implementation. The researchers noted:

• 62% are looking for better industry consensus on how to integrate the production/consumption of SBOMs into their DevOps practices
• 58% want consensus on integration of SBOMs into their risk and compliance processes. 53% desire better industry consensus on how SBOMs will evolve and improve
• 80% of organizations worldwide are aware of the White House Executive Order on improving cybersecurity
• 76% are considering changes as a direct consequence of the Executive Order

Finally, research participants revealed their top attributes used to prioritize which open source software components would be used by developers: security ranked highest, followed by license compliance.