Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach


Organizations are increasingly reliant on third-party software products to expedite their own development cycles, often incorporating numerous components into their end systems, resulting in a lack of transparency in software dependencies. Malicious actors exploit this, leading to Software Supply Chain (SSC) attacks with substantial economic and security damages. To mitigate this threat, the Software Bill of Materials (SBOM) concept was introduced. It details software components and their supply chain relationships, thus enhancing SSC transparency. Unfortunately, SBOM adoption still remains limited. While previous studies identified some reasons behind this, they overlooked the perspectives of different business stakeholder groups involved in SBOM’s lifecycle.

In this work, we address this gap by studying business stakeholder groups directly involved in SBOM production and consumption. The main goal of this work is to identify which groups can drive or inhibit SBOM adoption and the rationale behind this behavior. By conducting interviews with the group representatives, we identified stakeholder-specific risks, benefits, concerns and incentives regarding SBOM adoption. Our analysis suggests that SBOM adoption potential is higher among System Integrators and Software Vendors. At the same time, B2B customers and Individual Developers have the least motivation, inhibiting the process of SBOM adoption. Given that these are the main SBOM consuming and supplying stakeholders correspondingly, we conclude that the overall adoption potential of this technology is currently limited and requires considerable external impulse.

ACM ASIA Conference on Computer and Communications Security