At the end of January 2023, I was quite pleased when Steve Springett announced at a meeting of the SBOM Forum that Dependency Track, the open source SBOM analysis tool that he pioneered more than ten years ago (when there was almost no discussion of BOMs, except Bills of Material in manufacturing), had reached 300 million monthly uses; that is, DT was being used 10 million times a day to look up vulnerabilities for software components listed in an SBOM.
This showed quite impressive
growth, since in April 2022, DT was being used 200 million times a month
(itself not a shabby number, of course). BTW, Steve also leads the CycloneDX
(CDX) project. CDX gets heavy usage, but since that doesn’t get tracked like DT
usage, I don’t think Steve has that estimate. I do know that he says over
100,000 organizations use CDX.
In today’s OWASP SBOM Forum
meeting (we added a prefix to our name recently!), Steve mentioned Dependency
Track in a different context, and I remembered that I hadn’t had an update on
DT usage since January – so I asked him what it was. He obviously hadn’t thought
about it too much, but then he remembered that usage is now around 500 million
a month (i.e., almost 17 million lookups a day); he wasn’t even quite sure how
much of an increase that was (I, on the other hand, would have been shouting it
from the virtual rooftops).
Note: That’s 66% growth in 10
months. The growth rate from April 2022 through the end of January 2023, a
total of 9 months, was 50%. So not only is DT growing rapidly, but that growth
is accelerating. As you probably know, it’s rare for any process to
accelerate as it matures. The only other such process I know of is the
expansion of the universe, which cosmologists have been baffled to report is
now expanding at an accelerating rate. That will ultimately result in the
entire universe going dark in about 100 trillion years. At least when that
happens, global warming will no longer be a concern.
Steve then mentioned that private
organizations are putting Dependency Track on steroids, so that one instance of
the software will be able to perform hundreds of thousands, and ultimately
millions, of lookups a day (I may not have remembered the exact numbers Steve
used). When that happens, DT will perform billions of lookups a month, not
millions.
But Steve also mentioned something
else, which he’s said all along: Almost all the usage of DT is by software
developers trying to learn about vulnerabilities affecting a product they’re
developing. Very little of this impressive usage is by organizations whose
primary business isn’t software development – you know, insurance companies,
fast food chains, government agencies, churches, auto manufacturers, etc.
Of course, if developers are
paying much more attention to fixing the vulnerabilities in their products than
before (which they obviously are), that’s a good thing and it still benefits all
their users. But SBOMs have been sold all along (including by me, of course) as
a solution that any organization will be able to benefit from. That simply ain’t
happening to any significant degree. It’s like someone set out to walk from
Manhattan to LA, and one day they proudly announced that they’d reached Hoboken,
NJ (just across the Hudson River from Manhattan). Sure, that’s progress…but
there’s still a very long way to go.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum. If
you would like to learn more about what that group does or contribute to our
group, please go here, or email me with any questions.
No comments:
Post a Comment