Recent high-profile cybersecurity incidents such as the SolarWinds attack and the Apache Log4j vulnerability have exposed the threats associated with the software supply chain. These can range from fairly simple exploits of known vulnerabilities to very sophisticated attacks, sponsored by nation-state actors.

The annual spending on enterprise software — also known as commercial off-the-shelf or COTS software — is now approaching $600 billion with a growth rate of 11.5%. Yet, given the magnitude of this investment, enterprises are spending a pittance on securing their software supply chain. This is what makes COTS software so dangerous — vulnerabilities can be “hidden” in open source components. However, there is a fix for this in a software bill of materials (SBOM).