500 million!

At the end of January 2023, I was quite pleased when Steve Springett announced at a meeting of the SBOM Forum that Dependency Track, the open source SBOM analysis tool that he pioneered more than ten years ago (when there was almost no discussion of BOMs, except Bills of Material in manufacturing), had reached 300 million monthly uses; that is, DT was being used 10 million times a day to look up vulnerabilities for software components listed in an SBOM.

This showed quite impressive growth, since in April 2022, DT was being used 200 million times a month (itself not a shabby number, of course). BTW, Steve also leads the CycloneDX (CDX) project. CDX gets heavy usage, but since that doesn’t get tracked like DT usage, I don’t think Steve has that estimate. I do know that he says over 100,000 organizations use CDX.

In today’s OWASP SBOM Forum meeting (we added a prefix to our name recently!), Steve mentioned Dependency Track in a different context, and I remembered that I hadn’t had an update on DT usage since January – so I asked him what it was. He obviously hadn’t thought about it too much, but then he remembered that usage is now around 500 million a month (i.e., almost 17 million lookups a day); he wasn’t even quite sure how much of an increase that was (I, on the other hand, would have been shouting it from the virtual rooftops).

Note: That’s 66% growth in 10 months. The growth rate from April 2022 through the end of January 2023, a total of 9 months, was 50%. So not only is DT growing rapidly, but that growth is accelerating. As you probably know, it’s rare for any process to accelerate as it matures. The only other such process I know of is the expansion of the universe, which cosmologists have been baffled to report is now expanding at an accelerating rate. That will ultimately result in the entire universe going dark in about 100 trillion years. At least when that happens, global warming will no longer be a concern.

Steve then mentioned that private organizations are putting Dependency Track on steroids, so that one instance of the software will be able to perform hundreds of thousands, and ultimately millions, of lookups a day (I may not have remembered the exact numbers Steve used). When that happens, DT will perform billions of lookups a month, not millions.

But Steve also mentioned something else, which he’s said all along: Almost all the usage of DT is by software developers trying to learn about vulnerabilities affecting a product they’re developing. Very little of this impressive usage is by organizations whose primary business isn’t software development – you know, insurance companies, fast food chains, government agencies, churches, auto manufacturers, etc.

Of course, if developers are paying much more attention to fixing the vulnerabilities in their products than before (which they obviously are), that’s a good thing and it still benefits all their users. But SBOMs have been sold all along (including by me, of course) as a solution that any organization will be able to benefit from. That simply ain’t happening to any significant degree. It’s like someone set out to walk from Manhattan to LA, and one day they proudly announced that they’d reached Hoboken, NJ (just across the Hudson River from Manhattan). Sure, that’s progress…but there’s still a very long way to go.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to learn more about what that group does or contribute to our group, please go here, or email me with any questions.