DEVOPSdigest

President Biden's Executive Order(link is external) on Improving the Nation's Cybersecurity has driven wide-scale changes in software development practices in both the UK and US in the two years since it launched, according to new research from Sonatype.

The Order, designed to bolster the US response to cyberattacks and encourage greater public-private sector collaboration, primarily focused on Federal executive agencies and contractors. However, the findings show it has spurred industry-wide action on both sides of the Atlantic.

According to the research, 76% of enterprises have adopted a Software Bill of Materials (SBOM) since the Order's introduction.

Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture.

Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since the Order.

Furthermore, the findings revealed that SBOMs are becoming a key procurement requirement. Some 60% of respondents currently mandate that the businesses they work with maintain an SBOM and 37% said they will do so in the future, indicating proper software hygiene is becoming increasingly tied to commercial opportunities.

The research also confirms the Order has influenced software development practices in ways transcending SBOMs. Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programs (20%).

The regulation has also fueled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).

Despite SBOMs' contribution to good software hygiene, however, some companies still lag behind. Of the 24% of respondents yet to adopt SBOMs, 49% attributed this to being unsure how to implement them; 47% are unsure of their benefits; 43% have cost concerns; and 32% lack team resources, underscoring how the global cybersecurity skills crisis is hampering defense strategies.

"While it's good to finally see widespread adoption of SBOMs, it's equally concerning to see nearly a quarter of large enterprises have yet to implement them," said Brian Fox, CTO and Co-Founder at Sonatype. "It echoes our research findings last year showing many organizations are a lot farther behind on software supply chain management than they think they are. SBOMs are just 'step one' to cyber resilience — there's a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you're not at that first step yet, you're going to fall behind."

The research also found that 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.

Reception towards policy varies from region to region and policy to policy. Confidence in the long-term success of Biden's Order is high, with 71% deeming its regulations effective for improving cybersecurity. Interestingly, in the US, decision-makers feel overwhelmingly positive about the amount of cybersecurity regulation, with 84% of respondents viewing regulation in the market as positive. In contrast, in the UK, which has been slower to regulate on software development and cybersecurity issues, just 68% of UK business leaders feel positive about it, potentially inviting more intervention.

"We've been highlighting for years the value of better visibility into the software supply chain," said Wayne Jackson, CEO at Sonatype. "Governments worldwide have to play their part in holding vendors accountable, and we're finally seeing that come to fruition with rising SBOM adoption as a result of regulatory pressures. But we need to see international governments and businesses on the same page for policy to avoid a messy patchwork of disaggregated regulations that all tackle cyber resilience in different ways. It could otherwise stifle innovation in really crucial areas of software development like the open source ecosystem. Active communication between the private and public sector will go a long way to avoid that."

Methodology: Sonatype surveyed 217 Cybersecurity Directors in organizations with over £50 million/$50 million revenue in the UK and US respectively.