The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness

Download Report

Abstract

The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness, produced in partnership with SPDX, OpenChain, and OpenSSF, reports on the extent of organizational SBOM readiness and adoption and its significance to improving cybersecurity throughout the open source ecosystem. The study comes on the heels of the US Administration’s Executive Order on Improving the Nation’s Cybersecurity, and the disclosure of the most recent and far-reaching log4j security vulnerability. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate widespread implementation of cybersecurity best practices to mitigate the impact of software vulnerabilities. 

What is an SBOM?

An SBOM is formal and machine-readable metadata that uniquely identifies a software package and its contents; it may include other information about its contents, including copyrights and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about software security are making SBOMs a cornerstone of their cybersecurity strategy. The report offers fresh insight into the state of SBOM readiness by enterprises across the globe, identifying patterns from innovators, early adopters, and procrastinators. Differentiated by region and revenue, these organizations identified current SBOM production and consumption levels and the motivations and challenges regarding their present and future adoption. This report is for organizations looking to better understand SBOMs as an important tool in securing software supply chains and why the time to adopt them is now!

Authors

  • Stephen Hendrick, VP Research, The Linux Foundation
  • With a foreword by Jim Zemlin, Executive Director, The Linux Foundation

Additional Resources

More About LF Research

Open source communities are at the heart of an explosion of technical innovation, where industry leaders, engineers, and end users are collectively creating and improving the digital infrastructure on which the global economy depends.

With an extensive community of members, connections with thousands of companies, and hundreds of thousands of open source contributors, professionals, solution providers, and users, the Linux Foundation is in a unique position to investigate the growing scale of open source collaboration, and provide insights into emerging technology trends, best practices, and global impact of open source projects.

By leveraging project databases and networks, and through a commitment to best practices in quantitative and qualitative methodologies, Linux Foundation Research is designed to be the go-to repository for open source insights for the benefit of organizations and governments the world over.