Two years after President Biden’s Executive Order on Improving the Nation’s Cybersecurity, significant changes in software development practices have been observed in both the UK and the US, as reported by Sonatype, a software supply chain management company. The Order aimed to enhance the US response to cyberattacks and foster collaboration between the public and private sectors, primarily focusing on Federal executive agencies and contractors. However, the research findings indicate that it has driven industry-wide action on both sides of the Atlantic.
One of the notable outcomes of the Executive Order is the adoption of the Software Bill of Materials (SBOM) by a large majority of enterprises. A staggering 76% of companies have implemented SBOMs since the Order’s introduction, and an additional 16% plan to adopt them in the coming year. The correlation between open source hygiene and cybersecurity posture is increasingly recognized, leading to the wide adoption of SBOMs.
Moreover, SBOMs have become a key requirement in procurement processes, with 60% of respondents mandating that businesses they work with maintain an SBOM. Another 37% intend to implement this requirement in the future, indicating that proper software hygiene is becoming essential for commercial opportunities.
The impact of the Executive Order extends beyond SBOM adoption. Enterprises are now investing in various technologies to improve software supply chain management, including vulnerability scanning, software composition analysis, supply chain automation, threat intelligence, and bug bounty programs. The Order has also spurred investments in skills and operations, such as employee training, recruiting developer talent, and assessing supply chain risks.
However, some companies still lag behind in adopting SBOMs, with 24% of respondents yet to implement them. Among the reasons cited for the delay are uncertainty on how to implement SBOMs, lack of awareness about their benefits, cost concerns, and limited team resources. The global cybersecurity skills crisis is evidently affecting defense strategies and hindering progress in this area.
The critical Log4j vulnerability brought attention to the impact of open source breaches and prompted government intervention worldwide. The US, EU, and UK all launched initiatives to address software supply chain security. Sonatype’s research also delved into attitudes towards regulation, with 41% of security decision-makers viewing cyber regulation as having the greatest positive impact on software security. However, some business leaders expressed concerns about the volume of cybersecurity regulation, with 44% feeling there is too much government intervention overall.
In the US, 84% of respondents viewed cybersecurity regulation positively, while in the UK, the figure was 68%. It is clear that international governments and businesses need to align on policies to avoid a patchwork of disparate regulations that could stifle innovation, particularly in the open source ecosystem. Effective communication between the private and public sectors is crucial to achieving this alignment and fostering cyber resilience.
Sonatype, the software supply chain management company, empowers organizations to innovate faster and develop secure software in a highly competitive market. Their industry-leading platform enables engineers to build products fearlessly while ensuring high-quality and secure software to meet business needs. The company’s efforts have led to the blocking of over 145,000 malicious components from entering developers’ code, helping organizations and software developers move fast and securely.