The Linux Foundation Releases The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness Research which reports on the extent of organizational SBOM readiness and adoption tied to cybersecurity efforts. The video is below followed by a transcript of the conversation.
Alan Shimel: Hey everyone, welcome to another TechStrongTV interview. I’m really happy to introduce you to Steven or Steve Hendrick. Steve is the VP of Research over at the Linux Foundation and we’re really happy to have him on today. Hey, Steve, how are you?
Steve Hendrick: Hey, I’m doing great, thanks for asking, Alan.
Shimel: Thank you. You know, Steve, look the Linux Foundation is doing so many great things across such a wide range of topics. Whether we’re talking about software and automobiles, the Cloud Native Computing Foundation, CDF Foundation, Open Mainframe Project, the OpenSource Security Foundation. I mean, who would have thought whenever it was — it had to be 25 years ago. I know you guys recently had a big gala celebrating an anniversary. How far-reaching Linux Foundation would be and it is and kudos. The education, everything. The research arm of LF is one that maybe not a lot of people are familiar with. So, before we jump into this great report that you guys just have out on software building material, I wanted to talk a little bit about just the Linux Foundation’s research division and you’re the VP there. Tell our audience what are you guys up to? What’s the mission there?
Hendrick: Well, this is a new group. This was put in place and staffed up middle — well actually starting spring of last year. Actually, there’s two of us. I’m sort of the Research VP in charge of heavy lifting and Hillary Carter is a Research VP as well and she’s more on the biz dev side and relationship side. And the reason I’m doing the heavy lifting is that I have come out of the industry analyst space. Was doing that gig for 30 years. The first 22 were with IDC and then some boutiques after that. So, I’ve had the opportunity to publish about 1,000 research documents. I’ve been involved driving over 100 surveys. So, I think what happened was Linux Foundation wanted a seasoned professional to come in and do top quality research. So, that was their interest in me.
So, we put this research engine in place at Linux Foundation. The first project, the first core project out of the gate was this SBOM research. And what’s really interesting is that in my 30 years as an industry analyst — and I was the lead on application development and deployment — I never once heard the term “SBOM.” So, I was kind of caught by surprise where here I am going to be the principal investigator on researching SBOMs and trying to figure out what’s going on in that space. So, I of course enlisted a lot of experts to help me figure out what kind of questions to ask although I had a whole bunch in my pocket that I thought were important. So, that was the genesis of the research.
Shimel: Absolutely. And, you know, first of all, congratulations on spinning this up over there. I think it’s a natural fit for this kind of increased scope of the Linux Foundation. You know, I learned this lesson Steven when I was at StillSecure and we sold a lot of security stuff to the U.S. government. The acronyms, when you’re in it, you know you take them for granted. Yeah, SBOM! Other people listening to this, right, especially my non-security or maybe non-developer team maybe saying, “SBOM” and they think “Are we cursing? Are we terrorists? What the heck is an SBOM?” You know, I think we got to — we should start there; right? Software bill of materials, SBOM. That’s SBOM.
You know, I don’t know if many of our audience ever heard the term SBOM prior to maybe a year ago now when we saw a spade of the — or the first kind of really big public software supply chain attacks. Right? SolarWinds was one. We saw others. Then, of course, there was the executive order out of the White House calling for a software bill of materials on all software. There was recently an opensource security summit over in Washington and again SBOM was a prominent topic of discussion. So, it is, no, we’re not making up another crazy name for you folks to learn. It really has become a really, really timely, important idea of how we can help secure things.
Hendrick: That’s right.
Shimel: When you live in a world where 85 percent or 75 percent of the software code in any given application is third-party usually opensource components they glued together, knowing what those components are is oftentimes the threshold question to knowing how to secure it and what you got. So, I mean, I don’t want to diminish for a second, this is real important stuff. I don’t care what you call it. Anyway, I’ve said my piece and now it’s up to you. Tell us about the survey.
Hendrick: Okay. Well, first, let me just give you a quick rundown on what an SBOM is because if you’ve got listeners who are not familiar with the term then it’s really good for me to put this in place. I’m going to go through it real fast, though, because I want to get to the findings of the survey. So, what an SBOM is essentially it provides information about the software component. The genesis of SBOMs was like ten years ago and it was typically very much focused on information, what license is in place for the component, where the dependencies for the component, and a lot more metadata about what’s going on with the component itself.
So, that started about ten years ago. About five years ago, there was a transition that started because security began to get more and more important. So, what has happened is there has been a shift in the last couple of years to adding on to what an SBOM is so that we can essentially talk more about security issues and identify vulnerabilities and add information like cash totals so that you can do reproducible builds of the component. So, a lot of information to be able to help lockdown the component and also identify through links out to the national registries of vulnerabilities you know, what current and emerging vulnerabilities the component has because that’s the kind of information necessary so you can make an educated decision about “Do I want to rely on this component from the standpoint of the software that I’m building?”
And Alan, you’re exactly right, 98 percent of the organizations that were in our survey use opensource software and 95 percent of them were concerned about software security. So, yes, SBOMs are not a solution to the security problem but they are a great enabler to being able to help solve security problems. So, let me just kind of run down what’s in an SBOM.
You got a software identifier, you have identification of software dependencies, you’ve got license information, you have a link to known vulnerabilities because that can be potentially a kind of complex — that’s an ever-changing, complex list so you don’t want to package that in the SBOM but you do want a link so you can go out and at any time either push, pull, find out what those vulnerabilities are. You’ve got a hashtag that will allow you to verify the integrity of the component. The information in an SBOM is machine-readable and generatable. And it really provides organizations with a good way to understand risk and mitigate risk when it comes to the opensource components that they use. And ultimately, the closed-source ones as well.
Okay, so that’s kind of a rundown of what’s in an SBOM. Now, from the standpoint of the research that we did, you know, I got together with a lot of experts and we’ve got quite a few inside the Linux Foundation. So, we put our heads together to build the survey instrument. We went out into the field August of last year so we are a couple months behind the executive order. I think that was useful to some extent. When we surveyed organizations, 80 percent of them — actually 79 percent of them — were end-use organizations and 21 were vendors. So, I wanted a smattering of vendors in there because I thought the vendor perspectives may be a little different than end-users. Worldwide survey, 45 percent America, 40 percent EMEA, 15 percent AP. The source came from a panel provider that I have used a lot and very trustworthy in the IT space as well as Linux Foundation community.
I was very nervous being new to the Linux foundation about the integrity of the community so I did significance testing against the Linux Foundation sample versus the sample I got from a third party. Oddly enough — because I thought there would maybe be a bias, a pro-SBOM bias built into the Linux Foundation community. What happened was just the opposite. We found that in the third panel senior IT guys at organizations, from that view of the world, they were actually more big for SBOMs than the Linux Foundation. That was just remarkable.
So, I was actually sort of glad to see that in some ways. I mean, I think ultimately, at the end of the day, I’d like there to be no significant difference between the samples but I’ll take this one as a win and because of the stronger emphasis of the panel on SBOMs, that means that the data I’m going to be talking about is actually somewhat more conservative in its orientation because it’s being pulled down by what the Linux Foundation community members said.
Okay, so that’s what we did. We published this survey just yesterday. If you want the results, the report I wrote — the 72-page report — is on the Linux Foundation site. If you just go to the homepage on Linux Foundation, you can click on the press release. In that press release, there is a link to where you find the survey on the site — not the survey, I mean the report.
Shimel: Nice. The results now.
Hendrick: That’s right. It was sort of a longwinded but there’s a lot of good data in there and I’m sure it will be really interesting to a lot of people. So, let me talk about just some of the important findings. I think this is probably what we want to spend the rest of the time on. Then, we can decide once I’ve given you the important findings, we can figure out where to go from there. So, as I mentioned, I didn’t know anything about SBOMs before I showed up at Linux Foundation although I understood DevOps and DevSecOps. So, one of the things I wanted to do was — I wanted, in a very structured way to understand what is the adoption of SBOMs because I was very concerned that very little was going on out there in the industry. I mean, none of the vendors were talking about it seemingly at least not back in the era of when I was designing this survey instrument.
So, the software SCA vendors, the software composition analysis, guys probably came the closest. I know those guys have been working on this for a while although I still hadn’t heard much about SBOM terminology. So, I wanted to find out what kind of penetration is going on? What’s the adoption? What’s happening out there? What is really remarkable is that — so, I have a series of questions that I asked on both the production and consumption side of SBOM because, you know, if you’re a vendor, you’re going to be producing them because they’re going to have to go along with the commercial software you’re selling. If you’re an end-user, you’re more likely to be consuming them and wanting to be able to understand dependencies and vulnerabilities so you can make the right decisions about how to use the potential components. So, what we found was that 47 percent of organizations today are producing and/or consuming SBOMs.
Shimel: Wow, that’s much higher than I would think!
Hendrick: Well, when I say they’re producing or consuming, they can be producing sort of a few business units can be producing, or some, or many, or nearly all.
Shimel: Still more than I thought, Steven.
Hendrick: Well, that’s right and what was really interesting was that breaking down that 47 percent we have 14 percent that were producing SBOMs across nearly all of their business segments and 7 percent that had basically built SBOMs in as a standard practice. So, they’re doing it all the time. So, that’s a total of 21 percent. So, 40 percent of that 47 percent are deeply into SBOMs. That was a mind-blowing realization.
Shimel: Yeah, yeah! I’d like to — do you know how long they’ve been doing that?
Hendrick: I don’t know how long. No, I can’t answer that question.
Hendrick: But what also is really interesting is — okay, beyond the 47 percent what’s going on? We had 40 percent who said “We plan to do SBOMs in the next six to 24 months.” And I broke that down in a very detailed way. I had the next six months, the next 18, or the next 24. So, I was able to understand what the adoption was going to be of SBOMs in 2022 and 2023. So, I could back into growth rates and ultimate forecast penetration rates. So, what that all means is that we’ve got 47 percent using SBOMs in some capacity of organizations. There’s going to be up to 66 percent growth in 2022 in this “SBOM market” of organizations wanting to jump on board and begin doing SBOMs. That’s going to drive the penetration from 47 up to 78 percent. Then, in 2023, we’re going to have significantly less growth because penetration is already pretty high. We’ll have 13 percent growth in 2023. That will increase penetration from 78 to 88 percent which is a very high number.
But considering what the executive order said, which is that if you want to provide software to the federal government, it’s going to have to have an SBOM that comes along with it. So, you can see why many organizations be they vendors or end-users are very interested in getting on the bus here. So, that was just remarkable.
From here, we have a couple of choices. We can talk about, you know, going a little beyond the boundary of SBOMs and talk about important activities for securing the supply chain. We can talk about SBOM benefits, we can talk about concerns, we can talk about what organizations need to know to be able to move forward with all this. Do you got a particular topic you want to pick?
Shimel: So, Steven, here’s the conundrum. These are 15-minute interviews and we’re at about 18. I have a panel that I need to record at the top of the hour. So, here’s what I’d like to do: number one, let’s get people over to the site to download the report itself. Then, what I’d like to do, Steven, is let’s schedule a part two of this and we won’t do any of this preliminary stuff that we wasted — well, we didn’t waste, but —
Shimel: You know, we took half our interview on and we’ll jump into that. How does that sound?
Hendrick: That sounds like a great idea.
Shimel: All right. Remind people again, where can they go get this report?
Hendrick: Go to the Linux Foundation site.
Shimel: And that’s linux.org right? Or is it linuxfoundation.org?
Hendrick: Linuxfoundation.org. Just put in “Linux Foundation.” There’s only one. On the home page, there’s a press release. Inside that press release, about halfway down, is a link where you can actually go to download the document. You don’t have to put in your name or any of that. Just go to the landing page, pull it down, and have fun doing some reading.
Shimel: Excellent. Steve, thanks so much for coming on. We’ll get you scheduled for a part two on this so stay tuned. Keep up the great work. It’s a great start to the Linux Foundation research team and looking forward to big things.
Hendrick: Okay thanks so much Alan.
Shimel: Thank you. Steve Hendrick, Linux Foundation Researcher on TechStrongTV. We’re going to take a break and we’ll be right back.