300 million!

Note from Tom 4/27/2023: I haven't received any updates on these numbers since I wrote the post below, but it's safe to say that the number is well over 300 million now. 

Last April, I put up a post about the fact that Steve Springett’s Dependency-Track was being used 200 million times a month to look up components listed on an SBOM in the OSS Index open source vulnerability database; last fall, I updated that number to 270 million. So I was quite pleased today to hear from Steve that the number is now a nice round 300 million per month. In other words, use of Dependency-Track is growing more than 50% a year.

Of course, the point of my post wasn’t so much to laud Dependency-Track (although I do want to point out that D-T just celebrated its tenth birthday. This is quite interesting, because just about nobody was talking about SBOMs ten years ago). Rather, it was to show that SBOMs, even though they’re currently being used almost exclusively by software developers for product vulnerability management purposes (and there are many other tools like Dependency-Track, that are also being heavily used), clearly are needed just as much by their customers.

But the customers aren’t asking for them. Why aren’t they?

Good question…

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.