The software supply chain and software bill of materials (SBOM) has never been so fervently debated, conflated and berated. Perhaps this is because of some wider maturity in the enterprise software industry, perhaps it is due to some more sensitive appreciation for what economic supply chains are in general after the pandemic… or perhaps it is simply because we now have a more formalised subsector of the tech industry populating the SBOM space. Key companies that operate in this space include Anchore, JFrog, Sonatype, Cloudsmith, Cybeats, Snyk, Cybeats and Mend (formerly WhiteSource).
Magical analyst house Gartner thinks that one of the key drivers for SBOM flakiness is the rise of open source software (OSS). The wizards at Gartner have conjured up spells which estimates that open source makes up 70% to 90% of a typical software application estate, but that only 15% of firms feel confident in their management practices.
Gartner’s sorcerors predict that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Of the vendors noted above, Anchore is known for its Syft SBOM generation tool and the company specialises in container security and SBOM management. JFrog is known for its Software Composition Analysis (SCA) tool with SBOM generation capabilities within its DevOps platform. Mend (formerly WhiteSource) known for its focus on open-source security and license compliance, it offers automated SBOM generation and vulnerability scanning. Snyk is a developer-first security platform that includes SBOM generation as part of its vulnerability management capabilities.
If there’s one thing that companies in this space love, it’s a market report.
Nothing fishy about Anchore
Anchore recently released its third report of executive insights into managing software supply chain security practices. The company thinks that as many as three quarters (76%) of firms prioritise software supply chain security as the effects of software supply chain attacks intensify. As attacks like SolarWinds, XZ, and Log4j grow more sophisticated, the remediation expenses, risk of financial losses, and reputational damage are further heightened.
“Mounting software supply chain risk is driving organisations to take action. [There is a] 200% increase in organistions making software supply chain security a top priority and growing use of SBOMs,” said Josh Bressers, vice president of security at Anchore. “While we’ve seen a lot of data highlighting the threat landscape, [we highlight] a different perspective into the experiences and practices of the organisations that are the targets of software supply chain attacks. We’re able to see how organizations are responding internally to those threats.”
Wider viewpoints on SBOMs
Looking for wider viewpoints here, cloud-native software artifact management platform Cloudsmith has found that only 36% of organisations report having full observability into their software supply chain through their artifact management solution.
The company suggests that this remains a persistent blind spot despite a spate of high-profile software supply chain attacks, including XZ Utils, Log4j and tj-actions/changed files incident.
These “findings” (aka survey results based upon pre-defined market questions paid for by the vendor organisation behind the work here) are said to accompany a growing movement towards greater observability, driven by regulatory pressure, including the EU Cyber Resilience Act and the Cybersecurity and Infrastructure Security Agency (CISA)’s updated 2024 guidelines.
Dude, where’s my centralised artefact repository?
Nigel Douglas, developer relations lead at Cloudsmith suggests that as open source software now constitutes approximately 90% of modern codebases, insecure packages can introduce exploitable vulnerabilities. He notes that the research may highlight that while 61% of surveyed software development professionals prioritise security features in their development workflows, nearly half (46%) still describe their software delivery pipelines as having no or partial automation, with process inefficiencies and little to no use of a centralised artefact repository.
“There’s a clear disconnect between security goals and real-world implementation. Since open source code is the backbone of today’s software supply chains, any weakness in dependencies or artifacts can create widespread risk. To effectively reduce these risks, security measures need to be built into the core of artifact management processes, ensuring constant and proactive protection,” said Douglas.
If we take anything from these market analysis pieces, it may be true that organisations struggle to balance the demands of delivering software at speed while addressing security vulnerabilities to a level which is commensurate with the composable interconnectedness of modern cloud-native applications in the Kubernetes universe.
The core reason for flaky SBOMs
Alan Carson, Cloudsmith’s CSO and co-founder, remarked, “Without visibility, you can’t control your software supply chain… and without control, there’s no security. When we speak to enterprises, security is high up on their list of most urgent priorities. But security doesn’t have to come at the cost of speed. They may have dozens of developer teams all building different software for different purposes using different methods.”
Carson suggests (and he may of course be guilty of aligning his comments to promote his organisations platform, what a surprise) that DevOps leaders today are “crying out for a single plane” to bring that together and simplify management, making security in the software supply chain and across the SBOM a default layer, rather than an extra obligation.
There’s a lot of SBOM about, just be sure you don’t drop the F-bomb on your SBOM.