In an era of increasingly interconnected digital landscapes, the software supply chain is a crucial area to secure, affecting organizations across all sectors. Software supply chain attacks are on the rise among modern threats, and the risks of attacks can be severe and cascading. Black Duck’s 2025 Open Source Security and Risk Analysis (OSSRA) Report found that almost 90% of organizations use open-source software components, yet dependency management remains a major weakness.
What Is an SBOM and Why It Matters
A software bill of materials (SBOM) is a critical aspect of securing software supply chains. It is a comprehensive inventory of the components and dependencies built into an application during development and delivery. SBOMs create transparency and visibility into software components and dependencies, which otherwise are often hidden from software users.
They play an important role in enabling incident response, risk prioritization, and compliance operations. The OSSRA Report cites SBOMs as a vital resource for organizations to aid with a wide variety of security and compliance goals, including risk management, vulnerability management, software quality, and effective software maintenance. Like an itemized receipt detailing information about a purchase or the nutrition facts on food packaging, SBOMs provide crucial context that is needed to ensure the integrity of the product and foster trust and transparency for all involved.
NSA and CISA’s Shared Vision
A recent publication has been jointly authored by the United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and international security agencies across Asia, Europe, Oceania, and North America. The cybersecurity information sheet, A Shared Vision of Software Bill of Materials for Cybersecurity, offers insight and suggestions to encourage the use of SBOMs for a range of cybersecurity outcomes.
Some of the key takeaways from the publication are the many benefits of widespread SBOM adoption. These include improved visibility, streamlined security processes, and shared responsibility across producers, buyers, and operators. The inclusion of SBOMs ties into the Secure by Design initiative, emphasizing security and transparency at all steps in the software lifecycle.
The Compliance Challenge
SBOMs play an important role not just in security, but in regulatory compliance. With relationships and supply chains becoming more interconnected and complex, regulatory requirements around supply chain security have also been increasing. The vast web of relationships between links in the software supply chain creates confusion and difficulties regarding accountability, governance, and visibility, creating risks that compliance regulations are developing to address.
Poor dependency management undermines compliance and resilience by preventing a full understanding of the software in use, opening up the possibility of unknown vulnerabilities and dependencies on less secure software. SBOMs are essential for meeting customer expectations and regulatory mandates—it is vital for customers to have access to all of the relevant information about a piece of software that could affect their security or compliance.
From Transparency to Resilience
SBOMs enable vulnerability response, patch prioritization, and third-party risk assessments, though concerned parties should also take additional steps toward software resilience. “While the topic of SBOMs isn’t new, guidance such as this reinforces the importance of SBOM data in a risk mitigation strategy,” says Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “But simply generating an SBOM isn’t sufficient. It’s what you do with an SBOM once it is generated that matters – which simultaneously implies that the SBOM data needs to be accurate and complete.”
When accompanied by appropriate measures to effectively utilize the crucial information they provide, widespread adoption of SBOMs could have the long-term impact of shifting the industry toward a more secure and trustworthy software ecosystem. Organizations can operationalize SBOM data for proactive risk management by using it to identify vulnerabilities, assess supply chain risks, and manage dependencies.
The Road to Adoption
While experts and leading organizations recommend the adoption of SBOMs for cybersecurity purposes, there are a number of obstacles in the way. A lack of standardization, constraints on resources, and cultural shifts all complicate the matter. In order to effectively ensure widespread use of SBOMs, it is essential to foster collaboration across government, industry, and open-source communities. Organizations are encouraged to start adopting SBOM practices today to increase transparency and visibility, fortify supply chain trust, and empower an era of increased software security.
