Skip to content

New Gartner® Report Details How Businesses Should Incorporate SBOMS Into The SDLC

New Gartner® Report Details How Businesses Should Incorporate SBOMS Into The SDLC

The proliferation of third-party software, especially open-source software (OSS), is a mainstay in modern development. Research by Contrast estimates that the average Java library contains 118 individual open-source libraries - each of those calling even more transitive dependencies at build time. While the proliferation of open-source at large is no secret in today’s software-driven economy, the level of scrutiny being placed on the software supply chain and how businesses buy, build, and import software may be a new venture for some. Breaches targeting the software supply chain like the SolarWinds hack, and more recent zero-day events like Log4Shell have served as a catalyst for sweeping legislation to help inject a level of transparency and governance around how software is shared and embedded within critical applications. 

Enter the SBOM

Enter the software bill of materials, or “SBOM” for short. We’ve discussed in a previous blog the purpose of SBOMs and who can use them. In short, a software bill of materials is an ingredient list of every software component that makes up an application. It includes every library—both open-source software (OSS) and commercial off-the-shelf (COTS) - along with services, dependencies, compositions, and extensions. In some cases, it also includes tooling and environmental information. SBOMs can fulfill a range of requirements for functional groups across engineering, procurement, and M&A but, most notably, it can help Security and Compliance teams flag potential risks embedded within their software supply chain. 

In his 2021 Cybersecurity Executive Order, President Biden explicitly called on The National Telecommunications and Information Administration (NTIA) to develop a minimum standard for SBOMs to be abided by any business who sells software to the U.S. Government. However, it’s not just federal agencies who are concerned with SBOM mandates; many private sector businesses  require SBOMs as part of their software procurement process and that trend is only going to accelerate in the coming years. 

New Gartner Report Details Best Practices in Implementing SBOMs

New research from Gartner indicates that “by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20% in 2022. By 2024, 90% of software composition analysis tools will be able to generate and verify SBOMs to help securely consume open-source software, up from 30% in 2022.” With SBOM adoption looking to see a drastic increase, the question remains: “What best practices should enterprises exhibit to effectively scale and automate the production of SBOMs for the purpose of gauging the security posture of their software supply chain?” 

As per the new Gartner  research report Innovation Insight for SBOMs, “SBOMs are an essential tool in your security and compliance toolbox. They help continuously verify software integrity and alert stakeholders to security vulnerabilities and policy violations.”  As anyone working in the DevSecOps space can tell you, speed is priority #1 for developers - and that creates a huge challenge for Security teams who need up-to-date SBOMs to properly gauge which software components may serve as a potential attack vector for hackers. Gartner goes deep into specific recommendations to help integrate SBOMs as a routine part of the software delivery process including (but not limited to): 

  • Automatically generate SBOMs for all software produced
  • Automatically verify SBOMs for software consumed (both open source and proprietary)
  • Use SBOM data to continuously assess security and compliance risks (before and after deployment)
Contrast Security Named As A Representative Provider For SBOM Tools

In their report, Gartner recognizes Contrast Security as a commercial Representative Provider of SBOM tools . In addition to our commercial offering, Contrast’s own CTO and Co-Founder Jeff Williams developed an open-source tool to automatically produce SBOMs at runtime for Java applications. You can find the tool on Contrast’s GitHub Marketplace page. 

For enterprises looking to scale software supply chain security across their application portfolio, Contrast SCA can generate an SBOM within native CI/CD pipelines through a simple API call, CLI command or through the Contrast UI itself. Security and compliance teams can generate SBOMs following OWASPs CycloneDX standard and export to a machine-readable json format or export to a PDF. Soon customers will be able to produce SBOMs in the SPDX standard as well. 

Contrast meets all functional requirements of SBOMs as outlined by NTIA standards but also goes beyond these requirements by flagging library usage, including active and inactive libraries and library classes. As our State of Open-Source Security Report found, 62% of libraries in applications are inactive—not used by the software in any way. And within active libraries, 69% of library classes are unused. The result is that only 9.4% of code in the typical application is active open-source library and class code, and most developers have no visibility into this. Knowing which libraries are used by your application can save your developers hours of needlessly chasing patches or code fixes for libraries that serve no active function within the application - this is especially relevant in a rapid-response situation. 

Download Your Copy Of Gartner Innovation Insight For SBOMs

To download Gartner's new research data on implementing SBOMs within native development practices, visit our landing page

And for more information on how Contrast can help scale software supply chain security across your development processes, visit our Software Supply Chain solutions page

Gartner, Innovation Insight for SBOMs, By Manjunath BhatDale GardnerMark Horvath, 14 February 2022

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Joe Coletta, Product Marketing Manager, Contrast Security

Joe Coletta, Product Marketing Manager, Contrast Security

Joe Coletta is a Sr. Product Marketing Manager at Contrast Security focusing on Open Source Security. Entering the AppSec field as a Security Program Manager, Joe has consulted dozens of organizations of varying sizes on how to work cross-functionally in order to scale their application security programs. Applying this frontline knowledge to a product marketing career, Joe develops go-to-market resources that capture the voice of AppSec practitioners in both Security and Development. On a personal note, Joe divvies his free time between reading, drawing, and Brazilian Jiu Jitsu