A new report from LF Research, “The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness”, has revealed that 76% of organizations are considering changes to their cybersecurity strategies as a result of the Executive Order on Improving the Nation’s Cybersecurity issued by President Biden in May 2021. Of those surveyed for the report, 62% are looking for better industry consensus on how to integrate the production and consumption of SBOMs into their DevOps practices.
An SBOM is formal and machine-readable metadata that uniquely identifies a software component and its contents; it may also include copyright and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy.
Key findings from survey participants analyzed for the report include:
- 82% are familiar with the term Software Bill of Materials (SBOM)
- 76% are actively engaged in addressing SBOM needs
- 47% are producing or consuming SBOMs
- 78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year
Survey participants also revealed their top three benefits for producing SBOMs:
- 51% say it’s easier for developers to understand dependencies across components in an application
- 49% state it’s easier to monitor components for vulnerabilities
- 44% noted it’s easier to manage license compliance
For those looking to understand SBOMs better and how to create and use them properly, Linux Foundation Training & Certification offers a free online training course, Generating a Software Bill of Materials (LFC192). The two-hour course teaches participants how to identify the minimum elements for an SBOM, how they can be created, and some of the open source tooling that is available to support the generation and consumption of an SBOM.
Additionally, to help more developers improve their cybersecurity skills and practices generally, the Open Source Security Foundation (OpenSSF) partnered with Linux Foundation Training & Certification to create a series of three online courses in Secure Software Development. The program starts with Requirements, Design, and Reuse, which explains how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. The second course in the program covers Implementation, focusing on key implementation issues including input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. The final course explores Verification and More Specialized Topics, which discusses the various static and dynamic analyses approaches, how to apply them, and more specialized topics such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.
Each of the three Secure Software Development courses may be audited at no cost for up to seven weeks, or the three can be combined into a professional certificate through edX, which provides unlimited access to the course materials and a verified certificate of completion.
Be sure to check out the full State of Software Bill of Materials (SBOM) and Cybersecurity Readiness research report. If you have a team that needs to be trained in these or other open source software topics, contact our team for more information.
