Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach

Berend Kloeg, Aaron Yi Ding, Sjoerd Pellegrom, Yury Zhauniarovich

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

27 Downloads (Pure)

Abstract

Organizations are increasingly reliant on third-party software products to expedite their own development cycles, often incorporating numerous components into their end systems, resulting in a lack of transparency in software dependencies. Malicious actors exploit this, leading to Software Supply Chain (SSC) attacks with substantial economic and security damages. To mitigate this threat, the Software Bill of Materials (SBOM) concept was introduced. It details software components and their supply chain relationships, thus enhancing SSC transparency. Unfortunately, SBOM adoption still remains limited. While previous studies identified some reasons behind this, they overlooked the perspectives of different business stakeholder groups involved in SBOM's lifecycle.

In this work, we address this gap by studying business stakeholder groups directly involved in SBOM production and consumption. The main goal of this work is to identify which groups can drive or inhibit SBOM adoption and the rationale behind this behavior. By conducting interviews with the group representatives, we identified stakeholder-specific risks, benefits, concerns and incentives regarding SBOM adoption. Our analysis suggests that SBOM adoption potential is higher among System Integrators and Software Vendors. At the same time, B2B customers and Individual Developers have the least motivation, inhibiting the process of SBOM adoption. Given that these are the main SBOM consuming and supplying stakeholders correspondingly, we conclude that the overall adoption potential of this technology is currently limited and requires considerable external impulse.
Original languageEnglish
Title of host publicationASIA CCS '24
Subtitle of host publicationProceedings of the 19th ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery (ACM)
Pages1770-1783
Number of pages14
ISBN (Electronic)979-8-4007-0482-6
DOIs
Publication statusPublished - 2024
Event19th ACM Asia Conference on Computer and Communications Security - Singapore, Singapore
Duration: 1 Jul 20245 Jul 2024
https://asiaccs2024.sutd.edu.sg/

Conference

Conference19th ACM Asia Conference on Computer and Communications Security
Abbreviated titleAsiaCCS 2024
Country/TerritorySingapore
CitySingapore
Period1/07/245/07/24
Internet address

Keywords

  • Concerns
  • Incentives
  • SBOM Adoption
  • Stakeholders

Fingerprint

Dive into the research topics of 'Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach'. Together they form a unique fingerprint.

Cite this