Skip to main content
close search
site logo
Dive Brief

Broad SBOM adoption takes root as businesses watch their supply chains

Research from Sonatype shows major companies are increasingly mandating outside vendors to account for the security of their applications.

Published Aug. 4, 2023
David Jones's headshot
Reporter
IT Programer Working on Desktop Computer in Data Center System Control Room
iStock / Getty Images Plus via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Three-quarters of enterprises in the U.S. and U.K. have implemented software bills of materials since the Biden administration issued an executive order to bolster cybersecurity in 2021, according to a report Sonatype released Thursday.
  • About 60% of enterprises now require businesses they work with to have an SBOM in place, according to the report. The research, conducted by Censuswide in May 2023, was based on a study of 217 IT directors who oversee security companies with more than $50 million or 50 million British pounds of annual revenue. 
  • The new focus on software security was fueled in large part by events like the Log4j crisis, which forced companies across the globe to accelerate adoption of new policies and technologies to quickly find and mitigate vulnerabilities in widely used applications.

Dive Insight:

The 2021 executive order was part of a wider effort by the Biden administration to bolster software security in the wake of the Russia-linked supply chain attacks against SolarWinds, where state-sponsored hackers inserted malware into the company’s Orion IT monitoring platform.

As a result, thousands of organizations that used the software were put at risk as hackers gained access to major computer networks at private-sector companies and government agencies. The same threat actors, dubbed Nobelium by Microsoft, launched attacks against numerous other technology companies as well. 

The Biden executive order called for companies doing business with the federal government to implement SBOMs, which effectively forced federal contractors to account for the security of their software.

Sonatype officials say the mandates under the executive order have had a carryover effect to vendor relationships in the private sector. 

“I am incredibly encouraged by both the number of companies using SBOMs and the number that are requiring their vendors to use SBOMs,” Ilkka Turunen, field CTO at Sonatype, said via email. “It is evident that greater attention to software supply chain security at the federal level does indeed spur change.”

Beyond the original 60%, another 37% said they expect to have an SBOM mandate in the future, which reflects an evolution of software-procurement policies.

The study indicates companies are investing in technologies to monitor software security, including vulnerability scanning, software composition analysis and supply chain automation.

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell