Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Jeff Orr's Analyst Perspectives

        << Back to Blog Index

        The Software Bill of Materials Secures the Software Supply Chain

        Software supply chain digital security is a hot topic, especially after cyberattacks on SolarWinds, Colonial Pipeline and Kaseya. These attacks have exposed the vulnerabilities and risks that exist in the software products and services that organizations rely on for their daily operations. How can organizations protect themselves from these threats and ensure the quality and integrity of software products? One possible approach is to adopt a software bill of materials (SBOM). 

        An SBOM is like a list of ingredients for software. It shows what components make up a software product, where they come from, how they are related and what digital security issues they may have. An SBOM can include both proprietary and open-source components, as well as metadata such as version, license and patch status. An SBOM can also be represented in various file formats. Security defenders use the SBOM to identify known vulnerabilities. When an exploit is identified, every SBOM containing the element can be flagged. 

        An SBOM can help organizations reduce software supply chain risks by helping them to: 

        • Identify and remediate vulnerabilities. An SBOM can help organizations discover and fix security flaws in their software products before they are exploited by attackers. An SBOM can also help organizations respond faster and more effectively to security incidents by providing them with accurate and up-to-date information about the affected components and their dependencies. 
        • Verify the integrity and provenance of software components. An SBOM can help organizations ensure that the software components they use are authentic, unmodified and sourced from trusted vendors. An SBOM can also help organizations detect and prevent unauthorized or malicious changes to their software products during development, delivery or deployment. 
        • Manage compliance and licensing obligations. An SBOM can help organizations comply with legal and contractual requirements regarding the use of software components, especially open-source ones. An SBOM can also help organizations avoid potential conflicts or liabilities arising from incompatible or unclear licenses. 
        • Improve transparency and accountability. An SBOM can help organizations communicate clearly and confidently with their customers, partners, regulators and auditors about the quality and security of their software products. An SBOM can also help organizations demonstrate their commitment to responsible and ethical software development practices. 

        The SBOM concept is currently promoted via the U.S. government and several security software companies. Vendors and suppliers to government agencies are highly encouraged to support SBOM initiatives. Organizations supporting federal, state and local agencies are being scrutinized for their commitment to reduce cyber risk. But the concept of utilizing an SBOM to assess cyber risk in software is not exclusive to government applications. 

        Who is responsible for creating the SBOM? This varies widely as different organizations have different processes and roles for software development and security. However, some possible roles that could be involved in creating and maintaining an SBOM could include software developers, software architects, software testers and software security analysts. Depending on the size and complexity of the organization, and the software product or service, some of these roles may be performed by the same person or team, or by different people or teams. Some organizations may also have dedicated roles or teams for creating and maintaining SBOMs. The important thing is that there is clear communication and collaboration among all the roles involved in creating an SBOM. 

        Organizations exploring the value of SBOMs need time to educate their teams on how to maximize their potential. This includes learning how to gather version information from their software applications. Some organizations have identified challenges such as determining a common structure for the SBOM and how to make it readable to analyze the presence of a vulnerability. Similarly, software architecture and development are not always designed with security assessment in mind. Questions also exist about the use of low-code and no-code tools and whether the burden of risk lies within the software development tool chain or with the organization’s developers. 

        However, the benefits of an SBOM outweigh the risks. An SBOM can help organizations proactively manage their software supply chain risks by providing visibility, control andVentana_Research_2023_Assertion_Security_Secure_Supply_Chain_72_S accountability over their software products. An SBOM can also help organizations comply with the emerging standards and regulations that require or encourage the use of an SBOM. Ventana Research asserts that through 2026, less than 1 in 8 organizations will have taken steps to secure the software supply chain and reduce the risk of vulnerabilities from unauthorized or malicious changes. 

        There is also value for software-as-a-service (SaaS) application vendors to build an SBOM. An SBOM for a SaaS application can help both the software vendor and the customer in several ways, such as improving security and trust, enhancing transparency and accountability, and facilitating interoperability and integration. Some SaaS application vendors have already built SBOMs for their products and offer guides to incorporate the data into customers’ SBOM management. 

        The Biden administration’s cybersecurity executive order has recognized the importance of SBOMs and mandated development of minimum standards and guidelines for their implementation. The National Telecommunications and Information Administration (NTIA) has led a multi-stakeholder process to define and promote SBOM best practices across the software industry. 

        SBOMs are a key building block that can support and enhance other security measures. As CIOs and CISOs, you have a critical role to play in adopting and promoting SBOMs in your organization. By implementing SBOMs in your software products and services, you can improve your digital security posture, reduce your risk exposure and increase your competitive advantage. You can also contribute to the broader effort to secure the software supply chain at an industry and national level. 


        Jeff Orr


        Jeff Orr
        Director of Research, Digital Technology

        Jeff Orr leads the research and advisory for the CIO and digital technology expertise at Ventana Research, now part of ISG, with a focus on modernization and transformation for IT. Jeff’s coverage spans cloud computing, DevOps and platforms, digital security, intelligent automation, ITOps and service management, intelligent automation and observation technologies across the enterprise.


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to

        View Policy

        Subscribe to Email Updates

        Analyst Perspectives Archive

        See All