News

Jul 09, 2023

Broad SBOM adoption takes root as businesses watch their supply chains

Research from Sonatype shows major companies are increasingly mandating outside vendors to account for the security of their applications. The 2021 executive order was part of a wider effort by the

Research from Sonatype shows major companies are increasingly mandating outside vendors to account for the security of their applications.

The 2021 executive order was part of a wider effort by the Biden administration to bolster software security in the wake of the Russia-linked supply chain attacks against SolarWinds, where state-sponsored hackers inserted malware into the company’s Orion IT monitoring platform.

As a result, thousands of organizations that used the software were put at risk as hackers gained access to major computer networks at private-sector companies and government agencies. The same threat actors, dubbed Nobelium by Microsoft, launched attacks against numerous other technology companies as well.

The Biden executive order called for companies doing business with the federal government to implement SBOMs, which effectively forced federal contractors to account for the security of their software.

Sonatype officials say the mandates under the executive order have had a carryover effect to vendor relationships in the private sector.

“I am incredibly encouraged by both the number of companies using SBOMs and the number that are requiring their vendors to use SBOMs,” Ilkka Turunen, field CTO at Sonatype, said via email. “It is evident that greater attention to software supply chain security at the federal level does indeed spur change.”

Beyond the original 60%, another 37% said they expect to have an SBOM mandate in the future, which reflects an evolution of software-procurement policies.

The study indicates companies are investing in technologies to monitor software security, including vulnerability scanning, software composition analysis and supply chain automation.