research-article

Open access

Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach

Authors:

Sjoerd Pellegrom,

Yury ZhauniarovichAuthors Info & Claims

ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Pages 1770 - 1783

https://doi.org/10.1145/3634737.3637659

Published: 01 July 2024 Publication History

Abstract

Organizations are increasingly reliant on third-party software products to expedite their own development cycles, often incorporating numerous components into their end systems, resulting in a lack of transparency in software dependencies. Malicious actors exploit this, leading to Software Supply Chain (SSC) attacks with substantial economic and security damages. To mitigate this threat, the Software Bill of Materials (SBOM) concept was introduced. It details software components and their supply chain relationships, thus enhancing SSC transparency. Unfortunately, SBOM adoption still remains limited. While previous studies identified some reasons behind this, they overlooked the perspectives of different business stakeholder groups involved in SBOM's lifecycle.

In this work, we address this gap by studying business stakeholder groups directly involved in SBOM production and consumption. The main goal of this work is to identify which groups can drive or inhibit SBOM adoption and the rationale behind this behavior. By conducting interviews with the group representatives, we identified stakeholder-specific risks, benefits, concerns and incentives regarding SBOM adoption. Our analysis suggests that SBOM adoption potential is higher among System Integrators and Software Vendors. At the same time, B2B customers and Individual Developers have the least motivation, inhibiting the process of SBOM adoption. Given that these are the main SBOM consuming and supplying stakeholders correspondingly, we conclude that the overall adoption potential of this technology is currently limited and requires considerable external impulse.

References

[1]

[n. d.]. A distributed vulnerability database for Open Source. Retrieved 2023-08-14 from hhttps://osv.dev/

[2]

2021. Executive Order 14028: Improving the Nation's Cybersecurity. Retrieved 2023-08-18 from https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity

[3]

2023. Whisper: Robust Speech Recognition via Large-Scale Weak Supervision. Retrieved 2023-07-26 from https://github.com/openai/whisper

[4]

Tom Alrich. 2022. The purl in your future. Retrieved 2023-07-30 from https://tomalrichblog.blogspot.com/2022/11/the-purl-in-your-future.html

[5]

Tom Alrich. 2023. From the NVD to the IVD. Retrieved 2023-06-07 from https://tomalrichblog.blogspot.com/2023/05/from-nvd-to-ivd.html

[6]

Tom Alrich. 2023. Is it time to abandon VEX? Retrieved 2023-08-14 from https://tomalrichblog.blogspot.com/2023/07/is-it-time-to-abandon-vex.html

[7]

Tom Alrich. 2023. The problem with VEX documents. Retrieved 2023-07-12 from https://tomalrichblog.blogspot.com/2023/06/the-problem-with-vex-documents.html

[8]

Tom Alrich. 2023. The Procurement use case for SBOMs. Retrieved 2023-08-01 from https://tomalrichblog.blogspot.com/2023/05/the-procurement-use-case-for-sboms.html

[9]

Arushi Arora, Virginia L Wright, and Christina Garman. 2022. Strengthening the Security of Operational Technology: Understanding Contemporary Bill of Materials. Journal of Critical Infrastructure Policy 3, 1 (2022).

[10]

Tingting Bi, Boming Xia, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. On the Way to SBOMs: Investigating Design Issues and Solutions in Practice. arXiv:2304.13261 [cs.SE]

[11]

Virginia Braun and Victoria Clarke. 2006. Using Thematic Analysis in Psychology. Qualitative Research in Psychology 3, 2 (2006), 77--101.

[12]

Alexandre Decan, Tom Mens, and Philippe Grosjean. 2019. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering 24, 1 (01 Feb 2019), 381--416.

[13]

Shannon Leigh Eggers, Drew Christensen, Tori Brooke Simon, Baleigh Rae Morgan, and Ethan S Bauer. 2022. Towards Software Bill of Materials in the Nuclear Industry. Technical Report. Idaho National Laboratory (INL).

[14]

Rishab A Ghosh, Ruediger Glott, Bernhard Krieger, and Gregorio Robles. 2002. Free/libre and open source software: Survey and Study. Part IV: Survey of developers. Retrieved 2023-08-14 from https://www.math.unipd.it/~bellio/FLOSS%20Final%20Report%20-%20Part%204%20-%20Survey%20of%20Developers.pdf

[15]

Shmuel Gihon. 2023. What You Need to Know About the 3CX Supply Chain Attack. Retrieved 2023-07-26 from https://cyberint.com/blog/research/3cx-supply-chain-attack/

[16]

Shubham Girdhar. 2022. Identification of Software Bill of Materials in Container Images. Master's thesis. Frankfurt University of Applied Sciences.

[17]

GitHub. [n. d.]. GitHub Sponsors: Invest in the software that powers your world. Retrieved 2023-08-01 from https://github.com/sponsors

[18]

Elias Groll and John Hewitt Jones. 2022. Software bills of material face long road to adoption. Retrieved 2023-08-18 from https://cyberscoop.com/dhs-sbom-adoption/

[19]

Nancie Gunson, Diarmid Marshall, Hazel Morton, and Mervyn Jack. 2011. User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Computers & Security 30, 4 (2011), 208--220.

Digital Library

[20]

Jessica Lyons Hardcastle. 2023. MOVEit Body Count Closes in on 400 Orgs, 20M+ Individuals. Retrieved 2023-07-26 from https://www.theregister.com/2023/07/20/moveit_victim_count/

[21]

Stephen Hendrick. 2022. The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. Retrieved 2023-08-18 from https://www.linuxfoundation.org/research/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness

[22]

Udo Kuckartz. 2019. Qualitative Text Analysis: A Systematic Approach. 181--197.

[23]

Linux Foundation. [n. d.]. Software Package Data Exchange (SPDX). Retrieved 2023-08-14 from https://spdx.dev/

[24]

Steve Marquess. 2014. Of Money, Responsibility, and Pride. Retrieved 2023-08-14 from http://veridicalsystems.com/blog/of-money-responsibility-and-pride/

[25]

Jeferson Martínez and Javier M Durán. 2021. Software supply chain attacks, a threat to global cybersecurity: SolarWinds' case study. International Journal of Safety and Security Engineering 11, 5 (2021), 537--545.

[26]

Caley McGillvary. 2022. Thematic Analysis: an Overview. Retrieved 2023-08-18 from https://getthematic.com/insights/thematic-analysis-overview/

[27]

Anton Moroz. 2022. Towards secure software development at Neste - a case study. Master's thesis. University of Helsinki.

[28]

Christine Namugenyi, Shastri L Nimmagadda, and Torsten Reiners. 2019. Design of a SWOT Analysis Model and its Evaluation in Diverse Digital Business Ecosystem Contexts. Procedia Computer Science 159 (2019), 1145--1154.

Digital Library

[29]

National Institute of Standards and Technology. [n. d.]. National Vulnerability Database (NVD). Retrieved 2023-08-14 from https://nvd.nist.gov/

[30]

National Telecommunications and Information Administration. 2019. Roles and Benefits for SBOM Across the Supply Chain. Retrieved 2023-07-20 from https://ntia.gov/sites/default/files/publications/ntia_sbom_use_cases_roles_benefits-nov2019_0.pdf

[31]

National Telecommunications and Information Administration. 2021. Vulnerability-Exploitability eXchange (VEX) - An Overview. Retrieved 2023-08-14 from https://ntia.gov/sites/default/files/publications/vex_one-page_summary_0.pdf

[32]

NTIA Formats and Tooling Working Group. 2021. Software Consumers Playbook: SBOM Acquisition, Management, and Use. Retrieved 2023-07-25 from https://ntia.gov/sites/default/files/publications/software_consumers_sbom_acquisition_management_and_use_-_final_0.pdf

[33]

NTIA Formats and Tooling Working Group. 2021. Software Suppliers Playbook: SBOM Production and Provision. Retrieved 2023-07-25 from https://ntia.gov/sites/default/files/publications/software_suppliers_sbom_production_and_provision_-_final_0.pdf

[34]

NTIA Multistakeholder Process on Software Component Transparency Framing Working Group. 2021. Software Identification Challenges and Guidance. Retrieved 2023-07-30 from https://ntia.gov/sites/default/files/publications/ntia_sbom_software_identity-2021mar30_0.pdf

[35]

Chinenye Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, and James C. Davis. 2022. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. In ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses. 15--24.

[36]

OWASP. [n. d.]. OWASP CycloneDX Software Bill of Materials (SBOM) Standard. Retrieved 2023-08-14 from https://cyclonedx.org/

[37]

Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable Open Source Dependencies: Counting Those That Matter. In ACM/IEEE International Symposium on Empirical Software Engineering and Measurement.

Digital Library

[38]

Amas Phillips, Carsten Maple, Florian Lukavsky, Ian Pearson, Michael Richardson, Nigel Hanson, Paul Kearney, and Robert Dobson. 2023. Software Bills of Materials for IoT and OT devices. IoT Security Foundation (2023).

[39]

Urša Reja, Katja Lozar Manfreda, Valentina Hlebec, and Vasja Vehovar. 2003. Open-ended vs. close-ended questions in web questionnaires. Developments in applied statistics 19, 1 (2003), 159--177.

[40]

Paul Roberts. 2021. Log4j is why you need a software bill of materials (SBOM). Retrieved 2023-07-26 from https://www.reversinglabs.com/blog/log4j-is-why-you-need-an-sbom

[41]

Ax Sharma. 2023. PyTorch discloses malicious dependency chain compromise over holidays. Retrieved 2023-08-01 from https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays

[42]

Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano Di Penta, Daniel German, and Denys Poshyvanyk. 2024. BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems. In IEEE/ACM 46th International Conference on Software Engineering. 506--518.

Digital Library

[43]

Danny Steed and Robert Black. 2023. MOVEit Hack: Attack on BBC and BA Offers Glimpse into the Future of Cybercrime. Retrieved 2023-07-26 from https://theconversation.com/moveit-hack-attack-on-bbc-and-ba-offers-glimpse-into-the-future-of-cybercrime-207670

[44]

Eric Tooley and Courtney Claessens. 2023. Introducing self-service SBOMs. Retrieved 2023-08-11 from https://github.blog/2023-03-28-introducing-self-service-sboms/

[45]

Viswanath Venkatesh. 2000. Determinants of perceived ease of use: Integrating control, intrinsic motivation, and emotion into the technology acceptance model. Information systems research 11, 4 (2000), 342--365.

Digital Library

[46]

John Viega and James Bret Michael. 2021. Struggling With Supply-Chain Security. Computer 54, 7 (2021), 98--104.

[47]

Xinyuan Wang. 2021. On the Feasibility of Detecting Software Supply Chain Attacks. In IEEE Military Communications Conference. 458--463.

[48]

Heinz Weihrich. 1982. The TOWS matrix --- A tool for situational analysis. Long Range Planning 15, 2 (1982), 54--66.

[49]

Free Wortley, Chris Thompson, and Forrest Allison. 2021. Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package. Retrieved 2023-08-01 from https://www.lunasec.io/docs/blog/log4j-zero-day/

[50]

Boming Xia, Tingting Bi, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. In IEEE/ACM International Conference on Software Engineering. 2630--2642.

[51]

Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams. 2023. Software Bills of Materials Are Required. Are We There Yet? IEEE Security & Privacy 21, 2 (2023), 82--88.

Digital Library

[52]

Stan Zajdel, Diego Elias Costa, and Hafedh Mili. 2022. Open Source Software: An Approach to Controlling Usage and Risk in Application Ecosystems. In ACM International Systems and Software Product Line Conference. 154--163.

Digital Library

[53]

Kim Zetter. 2023. The Untold Story of the Boldest Supply-Chain Hack Ever. Retrieved 2023-08-18 from https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

Cited By

Nocera SDi Penta MFrancese RRomano SScanniello G(2024)If it's not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58944.2024.00077(730-740)Online publication date: 6-Oct-2024
https://doi.org/10.1109/ICSME58944.2024.00077

Index Terms

Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Systems security
    1. Vulnerability management
2. Software and its engineering
  1. Software notations and tools
    1. Software configuration management and version control systems
    2. Software maintenance tools

Recommendations

Stakeholder power in e-business adoption with a game theory perspective

The likelihood that one organization can pressure the e-business adoption practices of other organizations depends on two conditions: there must be sufficient power difference between the organizations; and the e-business process benefit must be ...
Electronic business adoption by European firms: a cross-country assessment of the facilitators and inhibitors
Managing e-business transformation

In this study, we developed a conceptual model for studying the adoption of electronic business (e-business or EB) at the firm level, incorporating six adoption facilitators and inhibitors, based on the technology-organization-environment theoretical ...
Business-to-business e-commerce adoption: An empirical investigation of business factors

We develop an overarching model to explain the adoption of business-to-business e-commerce using five business factors: external environment, organizational context, decision-maker's characteristics, technology context, and organizational learning. Data ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

July 2024

1987 pages

ISBN:9798400704826

DOI:10.1145/3634737

Chair:
Jianying Zhou,
Co-chair:
Tony Q. S. Quek,
Program Chairs:
Debin Gao,
Alvaro Cardenas
University of California, Santa Cruz, USA

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2024

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NWO

Conference

ASIA CCS '24

Sponsor:

SIGSAC

ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security

July 1 - 5, 2024

Singapore, Singapore

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
334
Total Downloads

Downloads (Last 12 months)334
Downloads (Last 6 weeks)89

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nocera SDi Penta MFrancese RRomano SScanniello G(2024)If it's not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58944.2024.00077(730-740)Online publication date: 6-Oct-2024
https://doi.org/10.1109/ICSME58944.2024.00077

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents