Using a Software Bill of Materials (SBOM) is Going Mainstream

I read a couple of advisories by Caleb Queern of KPMG entitled, What Are SBOMs?, and, Which Teams In My Organization Can Help Reduce Risk Using SBOM’s? These articles bring a smile to my face and give me hope that the practice of creating and using SBOMs has finally gone mainstream.

I’ve spent most of the last year reaching out to Application Security professionals imploring them to consider why the OWASP A9 is about to turn seven years old and yet so few teams have effective controls in place. Our own DevSecOps Community Survey tells me that less than half of the respondents indicated that their organization can produce a Software Bill of Materials, which just seems crazy to me. I thought that surely, by now, everyone would have meaningful controls in place for this one basic ability. To compound that, a recent Gartner Report on AppSec tools had this little gem in it (emphasis added):

By 2024, the provision of a detailed, regularly updated software bill of materials (SBOM) by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.

This means that while we’ve had seven years to address this so far, for those that haven’t, they have only four years left. But this is also where my years of frustration are turning into a smile now that this conversation has gone mainstream.

So, if your company is amongst the majority that still isn’t doing Software Composition Analysis that can both produce a SBOM and provide visibility on the use of known vulnerable components, the good news is that Sonatype has a mature, enterprise ready solution available. Seeing a global system integrator like KPMG share their views on the importance of addressing this issue, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Curtis Yanko. Read the original post at: