In this article, we provide our viewpoints in relation to some important challenges towards scaling SBOM adoption in favour of improving software supply chain security (SSSC) and propose action items to alleviate these challenges
Open-source software (OSS) with and without AI/ML components (e.g., code, libraries, pre-trained models) form the backbone of the ever-growing complex software supply chain. For example, the widely popular Hugging Face model hub hosts more than 60K pre-trained models (PTMs) for public use to develop new AI software for various end-user and business applications. Enterprises around the globe use software for their business tasks and processes that integrate (AI/ML) components from multiple vendors. Statistics estimate that approximately 90 percent of commercial software products are either OSS components or proprietary packages that are built with third-party software components. In other words, complex and evolving dependencies intrinsically characterise the modern software product.
The Software Bill of Materials (SBOMs) family that today includes AIBOMs and DataBOMs emerged since the early 2010s are records facilitating the management of software dependencies with the primary objectives of vulnerability management, enhanced software license compliance, and increased transparency in a software supply chain. After all, transparency yields trust, and trust yields security, which might contribute to the business competitiveness of SBOM-adopting enterprises. SBOMs are popularly reported using SPDX, CycloneDX and SWID structure formats as standards. However, it was not until 2021, after the SolarWinds and Log4J cyber-attacks, that the US government formally pushed the adoption of SBOMs by necessitating all companies selling software to the US government to provide SBOMs. Currently, it is not just the US government, but multiple US banks, companies across the Fortune 500, and organisations across Europe, India, and the Asia-Pacific are embracing SBOM programs to achieve software supply chain transparency, trust, resilience, security, and mitigate risks of systemic cyber risk impact. The not-so-good news for the business world, largely driven by software supply chains, is that SBOM adoption rates are far below benchmark standards. Approximately less than 20 percent of business organisations do not receive SBOMs along with their third-party software components. This is a grossly below-par number if the vision is to improve the resilience of software supply chain networks that are increasingly becoming pervasive in societal applications.
In this article, we provide our viewpoints in relation to some important challenges towards scaling SBOM adoption in favour of improving software supply chain security (SSSC) and propose action items to alleviate these challenges.
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]