Software development has been transformed since the introduction of the Biden administration’s executive order (EO) to improve cyber security across the US.
The EO was designed to bolster defenses against cyber attacks and was primarily focused on federal agencies and contractors. However, research has shown that it has impacted organizations in both the US and UK.
A key tenet of the order was a requirement for companies to implement a software bill of materials (SBOM) to ensure robust cyber security hygiene.
More than three-quarters (76%) of enterprises surveyed in the UK and US have since adopted an SBOM, and 16% plan to in the future, Sonatype revealed in its latest research.
Only 4% reported that an SBOM had been adopted more than three years ago, indicating how rapidly things have changed.
The board's evolving perceptions of cyber risk
78 global CISOs share their recommendations on how to communicate cyber risk as business risk to their C-suite peers and the board.
SBOMs are also becoming an essential procurement requirement, underlined by 60% of respondents reporting that they were required to complete business deals. Just over a third (37%) said they plan to add the requirement in the future.
The survey results, from 217 cyber security directors in companies with revenues of more than £50 million or $50 million in the UK and the US respectively, showed that proper security hygiene is increasingly tied to commercial opportunities as well as government work.
However, the figures also indicated nearly a quarter of respondents are yet to adopt SBOMs.
The reasons for this were varied; almost half said they needed to gain a better understanding of how to implement them or their benefits, while others noted concerns around cost, and nearly a third (32%) reported that they simply needed more staff.
Brian Fox, CTO and co-founder at Sonatype, described SBOMs as just the first step to cyber resilience and noted that more work would be needed, including investment in software composition analysis tools.
What is a software bill of materials?
An SBOM lists everything that goes into a particular application. As well as the components themselves, it also includes information such as the license version and type, such as open-source or commercial, for example.
Spreadsheets and manual files have also been used but are prone to human error and are unsuitable for larger projects that would benefit more greatly from an automated approach - potentially as part of the CI/CD pipeline.
While SBOMs are not a new concept, the high-profile vulnerability in the popular Java logger Log4j highlighted the importance of knowing what is in one’s software supply chain and being prepared to deal with or mitigate the potential impact of breaches.
Despite the signing of the executive order and the implementation of SBOMs by some enterprises, the Log4j vulnerability demonstrated that there remains work to do in order to ensure software supply chain security.
The US has continued to work to bolster security and published the National Cybersecurity Strategy in March 2023. The EU proposed its own Cyber Resilience Act in 2022, highlighting the importance placed on security in both regions.
