Anita D’Amico, vice president, cross-portfolio solutions and strategy
Organizations motivated by the need to rapidly respond to the next Log4J-like vulnerability will accelerate contractual requirements for SBOMs from their software suppliers. But how will the procurers know that these SBOMs are accurate? This will then create a demand for the validation of SBOMs to fulfill these contractual requirements.
Also, the acronym “SSDF” will start rolling off the lips of anyone concerned with software supply chain. The SSDF—Secure Software Development Framework—published by the National Institute for Standards and Technology in 2022, will become the north star for organizations that need to demonstrate best practices in software security.
Stanislav Sivak, associate managing security consultant
This year, we’ll see increased demand that software suppliers provide their open source SBOM and associated risk posture to their clients.
The efforts will be directed, at least in larger organizations, at having a holistic, continuous overview of software composition and its origins (COTS, open source, partner) instead of a point-in-time approach.
Such organizations will need to establish a centralized platform that can process the inputs, understand the context, generate the output such as an SBOM in the appropriate format, and provide intelligence around its data.