US' cybersecurity EO has changed software development, says Sonatype
President Biden's Executive Order on improving the US' cybersecurity has driven wide-scale changes in software development practices in both the UK and the US in the two years since it launched, new research from software supply chain management company Sonatype has revealed.
The Order, designed to bolster the US' response to cyberattacks and encourage greater public-private sector collaboration, primarily focused on Federal executive agencies and contractors. However, Sonatype's findings show it has spurred industry-wide action on both sides of the Atlantic.
According to the research, which surveyed 217 cybersecurity directors in organisations with over £50 million/US$50 million revenue in the UK and the US respectively, a massive 76% of enterprises have adopted a Software Bill of Materials (SBOM) since the Order's introduction.
Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open-source hygiene and cybersecurity posture. Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since the Order.
Furthermore, the findings revealed that SBOMs are becoming an essential procurement requirement. Some 60% of respondents mandate that the businesses they work with maintain an SBOM, and 37% said they would do so in the future, indicating that proper software hygiene is becoming increasingly tied to commercial opportunities.
Sonatype's research also confirms the Order has influenced enterprises' software development practices in ways transcending SBOMs.
Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programmes (20%).
The regulation has also fuelled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).
However, some companies still lag behind despite SBOMs' contribution to good software hygiene. Of the 24% of respondents yet to adopt SBOMs, 49% attributed this to being unsure how to implement them; 47% are uncertain of their benefits; 43% have cost concerns; and 32% lack team resources, underscoring how the global cybersecurity skills crisis is hampering defence strategies.
"While it's good to finally see widespread adoption of SBOMs, it's equally concerning to see nearly a quarter of large enterprises have yet to implement them," says Brian Fox, chief technology officer and co-founder at Sonatype.
"It echoes our research findings last year showing many organisations are a lot farther behind on software supply chain management than they think they are. SBOMs are just 'step one' to cyber resilience – there's a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you're not at that first step yet, you're going to fall behind."
Sonatype's findings follow the critical and widely publicised Log4j vulnerability, which spotlighted the huge-scale impact open source breaches can have.
In addition, the vulnerability prompted worldwide government intervention, with the US pursuing its National Cyber Security Strategy, the EU launching the Cyber Resilience Act, and the UK calling for views on software supply chain security.
Given the mounting government intervention in cybersecurity and software development practices, Sonatype also examined attitudes to regulation in the UK and the US, uncovering that large enterprises generally see regulation as good.
41% of security decision-makers see cyber regulation as having the most significant positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention overall.
Reception towards policy varies from region to region and policy to policy.
Confidence in the long-term success of Biden's Order is high, with 71% deeming its regulations effective for improving cybersecurity. Interestingly, in the US, decision-makers feel overwhelmingly positive about the amount of cybersecurity regulation, with 84% of respondents viewing regulation in the market as positive. In contrast, in the UK, which has been slower to regulate software development and cybersecurity issues, just 68% of UK business leaders feel optimistic about it, potentially inviting more intervention.
"We've been highlighting for years the value of better visibility into the software supply chain," says Wayne Jackson, chief executive officer at Sonatype.
"Governments worldwide have to play their part in holding vendors accountable, and we're finally seeing that come to fruition with rising SBOM adoption as a result of regulatory pressures. But we need to see international governments and businesses on the same page for policy to avoid a messy patchwork of disaggregated regulations that all tackle cyber resilience in different ways. It could otherwise stifle innovation in really crucial areas of software development like the open source ecosystem. Active communication between the private and public sector will go a long way to avoid that."