- Three-quarters of enterprises in the U.S. and U.K. have implemented software bills of materials since the Biden administration issued an executive order to bolster cybersecurity in 2021, according to a report Sonatype released Thursday.
- About 60% of enterprises now require businesses they work with to have an SBOM in place, according to the report. The research, conducted by Censuswide in May 2023, was based on a study of 217 IT directors who oversee security companies with more than $50 million or 50 million British pounds of annual revenue.
- The new focus on software security was fueled in large part by events like the Log4j crisis, which forced companies across the globe to accelerate adoption of new policies and technologies to quickly find and mitigate vulnerabilities in widely used applications.
The 2021 executive order was part of a wider effort by the Biden administration to bolster software security in the wake of the Russia-linked supply chain attacks against SolarWinds, where state-sponsored hackers inserted malware into the company’s Orion IT monitoring platform.
As a result, thousands of organizations that used the software were put at risk as hackers gained access to major computer networks at private-sector companies and government agencies. The same threat actors, dubbed Nobelium by Microsoft, launched attacks against numerous other technology companies as well.
The Biden executive order called for companies doing business with the federal government to implement SBOMs, which effectively forced federal contractors to account for the security of their software.
Sonatype officials say the mandates under the executive order have had a carryover effect to vendor relationships in the private sector.
“I am incredibly encouraged by both the number of companies using SBOMs and the number that are requiring their vendors to use SBOMs,” Ilkka Turunen, field CTO at Sonatype, said via email. “It is evident that greater attention to software supply chain security at the federal level does indeed spur change.”
Beyond the original 60%, another 37% said they expect to have an SBOM mandate in the future, which reflects an evolution of software-procurement policies.
The study indicates companies are investing in technologies to monitor software security, including vulnerability scanning, software composition analysis and supply chain automation.