ACM ASIACCS 2024


ACM ASIACCS 2024

Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach 

Abstract:

Organizations are increasingly reliant on third-party software products to expedite 
their own development cycles, often incorporating numerous components into their 
end systems, resulting in a lack of transparency in software dependencies. 
Malicious actors exploit this, leading to Software Supply Chain (SSC) attacks with 
substantial economic and security damages. To mitigate this threat, the Software 
Bill of Materials (SBOM) concept was introduced. It details software components and 
their supply chain relationships, thus enhancing SSC transparency. Unfortunately, 
SBOM adoption still remains limited. While previous studies identified some reasons 
behind this, they overlooked the perspectives of different business stakeholder 
groups involved in SBOM's lifecycle. In this work, we address this gap by studying 
business stakeholder groups directly involved in SBOM production and consumption. 
The main goal of this work is to identify which groups can drive or inhibit SBOM 
adoption and the rationale behind this behavior. By conducting interviews with the 
group representatives, we identified stakeholder-specific risks, benefits, concerns 
and incentives regarding SBOM adoption. Our analysis suggests that SBOM adoption 
potential is higher among System Integrators and Soft- ware Vendors. At the same time, 
B2B customers and Individual Developers have the least motivation, inhibiting the 
process of SBOM adoption. Given that these are the main SBOM consuming and supplying 
stakeholders correspondingly, we conclude that the overall adoption potential of this 
technology is currently limited and requires considerable external impulse.



Pre-camera PDF 

ACM Library Access

BibTeX:

@INPROCEEDINGS{Kloeg:ASIACCS2024, 
author={Kloeg, Berend and Ding, Aaron Yi and Pellegrom, Sjoerd and Zhauniarovich, Yury}, 
booktitle={19th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS)}, 
title={Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach},
year={2024}
}

How to cite:

Berend Kloeg, Aaron Ding, Sjoerd Pellegrom, Yury Zhauniarovich, "Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach", in Proceedings of the 19th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS), 2024.