Data-driven barriers to adoption proposed #19
Conversation
Signed-off-by: Bunny Hernandez <[email protected]>
|
|
||
| To claim that there are barriers to adoption simply because different formats, structures, and tools exist is to reduce issues of complexity to the issues of impediments and doesn't actually paint a picture as to *how* such complexity poses challenges to SBOM adoption. In order to move this issue forward in a scientific manner, claims regarding barriers to adoption, adoption rates, and SBOM readiness and maturity need to be substantiated by data. In order to flesh out the current barriers to SBOM adoption, we need to assess quantitative or qualitative data regarding the challenges that entities or individuals face in their SBOM journey. | ||
|
|
||
| The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exempler data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption. |
There was a problem hiding this comment.
| The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exempler data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption. | |
| The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exemplar data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption. |
|
Doesn't the report referenced primarily survey companies? That seems like it ignores most open source authors, which are likely near the top of the list of critical targets in terms of getting SBOMS "everywhere". |
I'm approving this, but we should continue this discussion point. I don't want to turn PRs into epic discussions as that tends to slow down progress. I suspect an issue is the best way to keep this going |
|
Let's not guess. Steve Hendrick (Vice President Research at The Linux Foundation) led that report - let's ask him!! |
|
I've emailed Steve Hendrick - let's see what he says! |
|
The SBOM survey included data collected from individuals who overwhelmingly were from the ranks of IT, were employed, and were asked to answer questions from the perspective of how their employer (or business unit) was approaching cybersecurity. Because we were surveying individuals it was possible that we surveyed more than one individual per company - especially because 27% of the sample came from individuals who worked for large enterprises with more than 10,000 employees. However, the larger the enterprises, the more likely it was that any one respondent would only be speaking for a business unit of the enterprise. So to answer the question, the survey largely reflected where companies were on their SBOM journey as told through the knowledge of one of more employees. |
Addresses #13