This month's SBOM-a-Rama Fall 2024 event, hosted by the Cybersecurity and Infrastructure Security Agency (CISA), marked a milestone in the ongoing evolution of software bill of materials (SBOM) adoption.
With over 200 in-person attendees and 400-500 virtual participants, this year's event was the largest yet, underscoring the growing interest in SBOMs as a critical component of modern cybersecurity and software supply chain management.
The discussions ranged from the latest technological advancements to the practical challenges businesses face in adopting SBOMs. Here are Sonatype's top five takeaways from the event.
The increasing participation numbers reflect a surge in interest and urgency surrounding SBOMs. As businesses and governments prioritize software supply chain security, SBOMs have become a cornerstone in their efforts to meet compliance standards and manage risk.
The scale of participation highlights just how essential SBOMs have become to the security landscape, and it's clear that this momentum will only grow.
One of the key themes from the vendor showcase was the availability of robust commercial solutions to help companies manage their SBOMs.
Vendors, including Sonatype, demonstrated tools designed to simplify SBOM creation, management, and integration into security workflows.
The success of Sonatype SBOM Manager shows that the market is ready with mature solutions for companies at any stage of their SBOM journey.
While companies are increasingly producing SBOMs internally, the event highlighted a major challenge: the exchange of high-quality SBOMs between organizations.
Currently, this process often involves manual requests through email or support channels, and the SBOMs received frequently contain errors or inconsistencies, complicating their utility in vulnerability management.
Sonatype and other leaders in the field are actively working on technology to automate and streamline SBOM exchange, addressing these pain points and ensuring smoother, more efficient workflows.
The SBOM community continues to push the boundaries of what these documents can achieve.
During the event, CISA-led working groups focused on emerging topics like BOM-Ops, which explores how to turn SBOM data into actionable intelligence, and the future of AI/ML SBOMs, which aim to define what should be included in these documents and how they can support innovative use cases.
This ongoing work will be vital in enabling businesses to unlock the full potential of SBOMs and drive greater business value.
A recurring message throughout SBOM-a-Rama was the need for SBOMs to move beyond simply checking a compliance box.
For SBOMs to truly gain traction, they must deliver clear business value — reducing risk and driving cost savings.
Many in the community believe this value is attainable, and it's now a matter of articulating these benefits to a broader audience and encouraging widespread adoption.
The discussions and developments at SBOM-a-Rama underscore the critical role of SBOMs in securing the software supply chain and point to an exciting future, with innovations in AI/ML SBOMs and more streamlined workflows on the horizon.
To stay informed about the latest SBOM trends, the upcoming All Day DevOps (ADDO) event will feature a session led by Allan Friedman, a Senior Advisor at CISA, who will dive into the current state of SBOM standards, regulations, and global efforts aimed at enhancing software transparency.
For more information on SBOMs and how Sonatype can support your SBOM initiatives, register for ADDO and check out the latest SBOM resources.