A Software Bill of Materials Could Be Required for Applications Soon
Almost half of those surveyed last year by Synopsys believes media coverage has previously caused their organization to place more stringent controls on the use of open source. That was before the SolarWinds attack, so we already expected to see increased adoption. Now, the trend towards software composition analysis (SCA) may be about to accelerate.
The U.S. government is considering issuing an executive order that would require vendors to provide a software bill of materials (SBOMs). This would effectively boost existing industry-specific and cross-industry efforts to standardize the ways we track software dependencies and other metadata. SPDX, SWID and CycloneDX are the most common standards in use so far.
SCA tools often create their own SBOM after scanning the components in an application. That is important but more relevant is what can be done with this inventory. Right now, most organizations have to update old versions manually or mitigate security issues on a case-by-case basis. The future of the market is not being able to create lists but instead being able to automate actions based on those lists.
Source: Synopsys “DevSecOps Practices and Open Source Management“. Note that the report’s sample was heavily tilted towards East Asian respondents from smaller-sized organizations.
