Securing the open source ecosystem: SBOMs are no longer optional

To truly secure software, we need to know what's inside. That's where a software bill of material comes in.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

In the last year and a half, one cybersecurity mess after another -- the SolarWinds software supply chain attack, the log4j vulnerability, the npm bad code injection -- have made it clear that we must clean up our software supply chain. That's impossible to do with proprietary software, since its creators won't let you know what's inside a program. But with open-source programs, it can be done. 

Here's the progress we've made so far, according to the Linux Foundation in its new The State of Software Bill of Materials and Cybersecurity Readiness report.

The Linux Foundation, OpenSSF, SPDX, and OpenChain have been working on securing the software supply chain long before President Joe Biden signed an executive order to boost the federal government's cyber defense. This order says open-source software must try to provide a Software Bill of Materials (SBOM). 

The order defines an SBOM as "a formal record containing the details and supply chain relationships of various components used in building software." It's an especially important issue with open-source software, since "software developers and vendors often create products by assembling existing open source and commercial software components."

How often? The managed open-source company Tidelift reports that 92% of applications contain open-source components. In fact, the average modern program is made up of 70% open-source software

Also: In 2022, security will be priority number one for Linux and open-source developers

Jim Zemlin, the Linux Foundation's executive director, writes, "SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022. Businesses accelerating SBOM adoption following the publication of the new ISO standard 5962 or the White House Executive Order are not only improving the quality of their software, but they are also better preparing themselves to thwart adversarial attacks following new open-source vulnerability disclosures like those tied to log4j."

The SBOM ISO standard 5962 is the work of SPDX. a Linux Foundation-related project. 

According to this standard, an SBOM is a formal and machine-readable metadata that uniquely identifies a software component and its contents. It may also include copyright and license data. If you think of it as a recipe for a program, you won't be far off. 

SBOMs are shared across organizations and provide component transparency in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy. It's the one way they can be sure they know what ingredients they're using in their programs. 

Linux Foundation Research conducted a worldwide survey into organizational SBOM readiness and adoption in the third quarter of 2021. A total of 412 organizations from around the world participated in the 65-question survey. Stephen Hendrick, the Linux Foundation's VP of Research authored the report. 

Key findings from the survey include:

  • 82% of respondents are familiar with the term SBOM.

  • 76% are actively engaged in addressing SBOM needs.

  • 47% are producing or consuming SBOMs.

  • 78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year.

Survey respondents also revealed their top three benefits for producing SBOMs:

  • 51% say it's easier for developers to understand dependencies across components in an application.

  • 49% state it's easier to monitor components for vulnerabilities.

  • 44% note it's easier to manage license compliance.

That said, the researchers also found that SBOM adoption needs additional industry consensus and government policy. Specifically:

  • 62% of respondents are looking for better industry consensus on how to integrate the production/consumption of SBOMs into their DevOps practices.

  • 58% want consensus on the integration of SBOMs into their risk and compliance processes. 

  • 53% desire better industry consensus on how SBOMs will evolve and improve.

  • 80% of organizations worldwide are aware of the White House Executive Order on improving cybersecurity.

  • 76% are considering changes as a direct consequence of the Executive Order.

Finally, research participants revealed their top attributes used to prioritize which open-source software components would be used by developers: security ranked highest, followed by license compliance.

Also: Codenotary: Notarize and verify your SBOM

All of this is a good start, but more needs to be done. I find it especially concerning that even though there's now an ISO standard for SBOMs, developers and their companies haven't embraced it more. 

You see, SBOMs are not optional. They are essential to secure open-source software. Everything from security breaches all the way to imminent cyberwar shows we must adopt SBOMs as soon as possible.

Editorial standards