I got a little carried away

Last week, I put up an upbeat post that pointed out that SBOMs are already a great success among software suppliers, since they are using them heavily (literally hundreds of millions of times a month, and billions of times a month if you want to count “use” in a different way) to learn about vulnerabilities in products they’re building. I noted that this was happening in the absence of any significant use by consumers, and I further noted that this wasn’t because at least some suppliers aren’t ready to supply them to their customers, but because their customers aren’t asking for them.

I didn’t go into detail on why consumers aren’t asking for SBOMs now, although I’ve dropped various hints in my posts – lack of free or low-cost tools to utilize SBOMs for vulnerability management, lack of support for SBOMs from vendors of vulnerability and configuration management software, lack of available VEX documents to notify consumers of non-exploitable component vulnerabilities, etc. But I did attribute the fact that so many software suppliers had in recent years “gotten religion” on the need to take responsibility for preventing or fixing vulnerabilities due to components in their software, to the fact that they knew SBOMs were coming. Moreover, they knew their customers were soon going to know about vulnerabilities found in components in their software and continually ask when they were going to fix them.

However, I realized today that there’s a kind of contradiction between those two ideas: That SBOMs aren’t being significantly utilized by consumers today and that suppliers are anticipating they will be heavily utilized by consumers in the near future. I resolve this by saying that suppliers are wrong if they anticipate SBOMs will be heavily used in say the next 2-3 years, but I anticipate they will be after that. I added a couple of paragraph's to last Monday's post to clarify this point.

I have a list of about 8 serious impediments (and there are many less-serious ones as well) to widespread SBOM use. I’m happy to say that one of them is on the road to being resolved, and the informal group responsible for that is now deciding what’s the next impediment we’ll take on. Anyone who’s already familiar with SBOMs and would like to join that effort should drop me an email.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.