In the past few years, software supply chain security has become a topic of interest for governments and regulators thanks to enormous breaches (like log4j and SolarWinds).
For example:
- In May 2021, U.S. President Biden issued an executive order calling for critical industries to begin requiring a software bill of materials (SBOM) from vendors.
- In June 2022, the Canadian House of Commons proposed a bill on third-party liability in the summer of 2022.
- In September 2022, the U.S. Senate introduced a bill for the Securing Open Source Software Act of 2022.
With the growing interest in software bill of materials (SBOM) management from world governments, you might be wondering, “Where is this all leading?”
Based on trends in politics, the history of cybersecurity, and our own industry experience, we’ve put together a list of things that you can expect to happen in the near future of SBOM and software supply chain security management. We’ll unpack them all in detail, but in brief:
- Prediction 1: Highly regulated industries will be the SBOM early adopters
- Prediction 2: SBOM infrastructure norms will be specific to early-adopting industries
- Prediction 3: Other critical infrastructure industries will only adopt SBOM practices when required to
- Prediction 4: Crime and legislation will be the primary drivers of SBOM adoption
- Prediction 5: SaaS and open source communities will leapfrog the early adopters
- Prediction 6: SBOM fraud will have its day (and stricter regulation will follow)
- How to prepare for the future of SBOM
Read along to see why we’re expecting this for the future of software security.
Prediction 1: Highly regulated industries will be the SBOM early adopters
Regulators and policymakers are keen to keep vital parts of commercial and societal infrastructure secure. As cybersecurity law continues to address software supply chain security, we expect that early mandates will target organizations in industries that are already subject to high security regulations. Some of these industries, like finance and telecommunications, are already preparing for SBOM practices in the wake of the political activity mentioned earlier.
Because government entities, banks, and telecom companies will require SBOMs from their vendors, we naturally expect these vendors to be the first to adopt SBOM generation practices as the norm. Adopting these will be essential to continuing longstanding business partnerships, so vendors will find ways to implement these practices for their highly regulated customers.
This is in keeping with how industries have adopted other cybersecurity standards. In 2021, the Institute of Electrical and Electronics Engineer conducted a study regarding the adoption of ISO/IEC 27001 security standards by companies in Germany. Sectors such as information and communication, finance, and public utility had much higher observed adoption rates than sectors like construction and retail—and consulting services companies had a disproportionately high adoption rate as well.
Adopting software supply chain security practices won’t necessarily be easy for these vendors or their customers, so we expect to see some of the following subtrends emerge soon:
-
Increased literature from governments regarding requirements, use cases, and implementation of software supply chain security. For example, the U.S. National Telecommunications and Information Administration has already published a small library of documents to help organizations understand and implement SBOM practices themselves. However, most of this material was published in the years 2019–2021. In the near future (as SBOM laws and mandates come into full effect), we expect to see more documentation and a library that stays up-to-date.
-
A rise in demand for in-house software supply chain security expertise. SBOM domain knowledge will become a sought-after skill when recruiting IT and security leadership—and more companies in these industries will staff positions dedicated to SBOM practices.
-
Because vendors will want to become SBOM-compliant quickly, we can also expect to see more SBOM consultants. Individuals with in-house SBOM implementation and change management experience will realize that the supply-demand environment is in their favor, and begin consulting multiple clients as independent contractors. Large consulting firms will take advantage of the hype and begin offering these implementation services themselves as a way to expand existing accounts and initiate new client relationships.
Prediction 2: SBOM infrastructure norms will be specific to early-adopting industries
Because these industries have the most incentive to adopt SBOM practices, they will be the ones who shape the early infrastructure around these practices. This will be a collaborative, decentralized process involving the regulated organizations, their vendors, and the regulators themselves.
For the industries themselves, this will be a process of adopting tools and operations that keep them in the compliant zone. These agents are categorically slow-moving, and so they will gravitate toward solutions that check compliance boxes in the least invasive way possible.
For vendors who only serve a few customers in these industries, SBOM practices will be customer-led and customer-specific: XYZ Bank will make their SBOM requirements known to vendors, and the vendors will meet them on an account-by-account basis. Vendors whose business relies on this customer base, on the other hand, will take note of what these customers are asking for, and develop in-house SBOM policies that satisfy all or most vendors’ needs—this will be necessary to build and maintain confidence, streamline the customer onboarding process, and expedite sales cycles.
For regulators, this will be a process of tightening, tweaking, and troubleshooting the rulebook. Regulators who prefer a top-down approach will impose rules, see what happens, and adjust them for future success. Those who prefer a more collaborative approach will work with the industries (and possibly notable vendors) to find ways to maintain a high level of security without impeding business operations.
The outflow of this process will be a mix of official and unofficial best practices for SBOM compliance, including implementation frameworks, standard operating procedures, and of course, preferred formats and tools.
This is how we expect the SBOM infrastructure to develop within the industries that are already under pressure to up their software supply chain security—but what about the critical infrastructure industries that aren’t highly regulated in this regard?
Prediction 3: Other critical infrastructure industries will only adopt SBOM practices when required to
Security is absolutely vital to financial and telecom companies’ abilities to do business and foundational for stable and trustworthy government operations. It would be disturbing to find out that your company’s 401k provider (or your country’s department of defense) had been hacked, but you might not be so worried if you heard the same about your electricity provider.
Not every critical infrastructure industry sees an airtight SBOM as a critical business priority, and so we expect that industries like healthcare, agriculture, and energy will not adopt SBOM practices until they have to.
We’ve seen this play out before. In 2014, the National Institute of Standards and Technology (NIST) issued its Framework for Improving Critical Infrastructure Cybersecurity—pursuant to a 2013 executive order to improve critical infrastructure cybersecurity. But as of February 2022, the Government Accountability Office found that only three of the sixteen critical infrastructure sectors in the country had adopted the framework. (Two other industries had taken some first steps, and the rest hadn’t made any measurable progress at all.)
So what will push these industries to start using SBOMs? Enter our next prediction.
Prediction 4: Crime and legislation will be the primary drivers of SBOM adoption
Since it’s unlikely that industry sectors will adopt SBOM practices voluntarily, we see two main catalysts driving adoption in the future: crime and legislation.
Hackers will continue to find new ways to exploit transitive vulnerabilities. Malware agents will continue to test the limits of how much companies will pay to make a problem go away. And as other sectors secure their supply chains, digital ne’er-do-wells will find less-secure sectors to be more lucrative targets.
As this happens, the unlucky victims of these attacks will seek out ways to keep them from happening again. (And some companies will adopt stricter software supply chain security practices so that the same thing doesn’t happen to them.)
Especially catastrophic breaches (think SolarWinds) will prompt government action, and cybersecurity policymakers will propose more acts to mitigate these threats—sometimes at the industry level, sometimes in a broader sense. This will raise the minimum security requirements in these slow-to-adopt sectors as well.
Some legislation may grant positive incentives for companies who meet certain levels of non-mandatory compliance. Other laws might impose fines, penalties, and possibly more severe punishments on organizations that don’t stay compliant on this front.
In the future, industries will find themselves squeezed into SBOM adoption by hackers on one side and the government on the other.
Prediction 5: SaaS and open source communities will leapfrog the early adopters
When industries are ready to take SBOM seriously, who will be there to help them adopt it? Enterprise cloud-based SaaS!
Because the early years of SBOM adoption will be focused on highly regulated industries, most of the standard operating procedures will be specific to those sectors. When new sectors begin looking for ways to protect their software supply chain, they’ll need solutions that can be easily implemented in their own industries.
SaaS vendors will be the most likely to fill the gap. They’ll notice the growing demand and meet it with cloud-based security services. Enterprise cloud-based SaaS companies have already had to overcome rigorous security screenings in order to offer their other services—so they will be the prime candidates for offering compliant and secure software supply chain security solutions to industries new to the discipline.
We expect the tech giants to develop and offer SBOM solutions to enterprise clients in the future. We also expect nimble startups to emerge, perfecting smaller functions of supply chain security (and likely being acquired by larger players).
In addition, open source communities may become a source of SBOM solutions as well. While it would be difficult to impose supply chain security regulations on open source authors, it’s possible that leaders in the community will come to see security as an altruistic cause. (What’s better than giving someone a free meal? Giving them a free meal with a transparent list of ingredients!)
If both of these predictions are true, we will have a scenario in which enterprise SaaS makes SBOM management easier on the vendor-customer side, while open source communities make it easier on the product development site. At this point, SBOM management infrastructure will break out of the highly regulated enclave and become more accessible to all industries.
Prediction 6: SBOM fraud will have its day (and stricter regulation will follow)
There will always be someone who tries to game the system. If SBOM management becomes the expected norm, eventually, there will be those who wonder, “What corners can I get away with cutting?”
Ideally, SBOMs will be publicly available and easy to check from the outside. However, if customers and auditors become lax in doing their due diligence (or just overwhelmed by the sheer number of SBOMs they’re responsible for checking), then fraudulent SBOMs will be able to slip through the cracks.
Eventually, this will become a concerning enough issue to excite the original SBOM adoption catalysts: crime and legislation. Fraudulent SBOMs will leave customers vulnerable to hackers, which will lead to more breaches, which will lead to stricter regulations and auditing practices.
How to prepare for the future of SBOM
These are our predictions for the future of software supply chain security management based on both history and our experience in the industry. If you’re an enterprise software customer, we recommend getting ahead of the game: start talking to your vendors about their SBOMs, and consider using a software composition analysis tool that allows you to check your vendors SBOMs yourself (like MergeBase).
If you’d like to explore how MergeBase can help you prepare for the future of software supply chain security, book a demo with us—we’ll show you how it works!
