92% of large enterprises now maintain an SBOM or plan to implement in the next year, as Log4j and threat landscape prompt evolution in cybersecurity strategies
August 3, 2023 – Fulton, Md. – President Biden’s Executive Order on Improving the Nation’s Cybersecurity has driven wide-scale changes in software development practices in both the UK and US in the two years since it launched, new research from software supply chain management company Sonatype has revealed. The Order, designed to bolster the U.S’ response to cyberattacks and encourage greater public-private sector collaboration, primarily focused on Federal executive agencies and contractors. However, Sonatype’s findings show it has spurred industry-wide action on both sides of the Atlantic.
According to the research - which surveyed 217 Cybersecurity Directors in organizations with over £50 million/$50 million revenue in the UK and US respectively - a huge 76% of enterprises have adopted a Software Bill of Materials (SBOM) since the Order’s introduction. Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture. Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since the Order.
Furthermore, the findings revealed that SBOMs are becoming a key procurement requirement. Some 60% of respondents currently mandate that the businesses they work with maintain an SBOM and 37% said they will do so in the future, indicating proper software hygiene is becoming increasingly tied to commercial opportunities.
Sonatype’s research also confirms the Order has influenced enterprises’ software development practices in ways transcending SBOMs. Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programs (20%). The regulation has also fueled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).
Despite SBOMs’ contribution to good software hygiene, however, some companies still lag behind. Of the 24% of respondents yet to adopt SBOMs, 49% attributed this to being unsure how to implement them; 47% are unsure of their benefits; 43% have cost concerns; and 32% lack team resources, underscoring how the global cybersecurity skills crisis is hampering defense strategies.
“While it’s good to finally see widespread adoption of SBOMs, it’s equally concerning to see nearly a quarter of large enterprises have yet to implement them,” said Brian Fox, CTO and Co-Founder at Sonatype. “It echoes our research findings last year showing many organizations are a lot farther behind on software supply chain management than they think they are. SBOMs are just ‘step one’ to cyber resilience – there’s a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you’re not at that first step yet, you’re going to fall behind.”
Sonatype’s findings follow the critical and widely publicized Log4j vulnerability, which spotlighted the huge-scale impact open source breaches can have. In addition, the vulnerability prompted worldwide government intervention, with the US pursuing its National Cyber Security Strategy, the EU launching the Cyber Resilience Act, and the UK calling for views on software supply chain security. Given the mounting government intervention in cybersecurity and software development practices, Sonatype also examined attitudes to regulation in the UK and the US, uncovering that large enterprises generally see regulation as a good thing. In fact, 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.
Reception towards policy varies from region to region and policy to policy. Confidence in the long-term success of Biden’s Order is high, with 71% deeming its regulations effective for improving cybersecurity. Interestingly, in the US, decision-makers feel overwhelmingly positive about the amount of cybersecurity regulation, with 84% of respondents viewing regulation in the market as positive. In contrast, in the UK, which has been slower to regulate on software development and cybersecurity issues, just 68% of UK business leaders feel positive about it, potentially inviting more intervention.
“We’ve been highlighting for years the value of better visibility into the software supply chain,” said Wayne Jackson, CEO at Sonatype. “Governments worldwide have to play their part in holding vendors accountable, and we’re finally seeing that come to fruition with rising SBOM adoption as a result of regulatory pressures. But we need to see international governments and businesses on the same page for policy to avoid a messy patchwork of disaggregated regulations that all tackle cyber resilience in different ways. It could otherwise stifle innovation in really crucial areas of software development like the open source ecosystem. Active communication between the private and public sector will go a long way to avoid that.”
Sonatype is the software supply chain management company. Recognized by globally renowned analysts as a leader in the industry, Sonatype enables organizations to innovate faster in a highly competitive market. We allow engineers to develop software fearlessly and focus on building products that power businesses. Sonatype researchers have analyzed more than 120 million open source components – 40x more than its competitors – and the Sonatype platform has automatically blocked over 145,000 malicious components from entering developers’ code. Enabling high-quality, secure software helps organizations meet their business needs and those of their customers and partners. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on our tools and guidance to be ambitious, move fast and do it securely. To learn more about Sonatype, please visit www.sonatype.com.