Biden's Cybersecurity Executive Order Drives Seismic Changes in Software Development
September 11, 2023

President Biden's Executive Order on Improving the Nation's Cybersecurity has driven wide-scale changes in software development practices in both the UK and US in the two years since it launched, according to new research from Sonatype.

The Order, designed to bolster the US response to cyberattacks and encourage greater public-private sector collaboration, primarily focused on Federal executive agencies and contractors. However, the findings show it has spurred industry-wide action on both sides of the Atlantic.

According to the research, 76% of enterprises have adopted a Software Bill of Materials (SBOM) since the Order's introduction.

Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture.

Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since the Order.

Furthermore, the findings revealed that SBOMs are becoming a key procurement requirement. Some 60% of respondents currently mandate that the businesses they work with maintain an SBOM and 37% said they will do so in the future, indicating proper software hygiene is becoming increasingly tied to commercial opportunities.

The research also confirms the Order has influenced software development practices in ways transcending SBOMs. Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programs (20%).

The regulation has also fueled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).

Despite SBOMs' contribution to good software hygiene, however, some companies still lag behind. Of the 24% of respondents yet to adopt SBOMs, 49% attributed this to being unsure how to implement them; 47% are unsure of their benefits; 43% have cost concerns; and 32% lack team resources, underscoring how the global cybersecurity skills crisis is hampering defense strategies.

"While it's good to finally see widespread adoption of SBOMs, it's equally concerning to see nearly a quarter of large enterprises have yet to implement them," said Brian Fox, CTO and Co-Founder at Sonatype. "It echoes our research findings last year showing many organizations are a lot farther behind on software supply chain management than they think they are. SBOMs are just 'step one' to cyber resilience — there's a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you're not at that first step yet, you're going to fall behind."

The research also found that 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.

Reception towards policy varies from region to region and policy to policy. Confidence in the long-term success of Biden's Order is high, with 71% deeming its regulations effective for improving cybersecurity. Interestingly, in the US, decision-makers feel overwhelmingly positive about the amount of cybersecurity regulation, with 84% of respondents viewing regulation in the market as positive. In contrast, in the UK, which has been slower to regulate on software development and cybersecurity issues, just 68% of UK business leaders feel positive about it, potentially inviting more intervention.

"We've been highlighting for years the value of better visibility into the software supply chain," said Wayne Jackson, CEO at Sonatype. "Governments worldwide have to play their part in holding vendors accountable, and we're finally seeing that come to fruition with rising SBOM adoption as a result of regulatory pressures. But we need to see international governments and businesses on the same page for policy to avoid a messy patchwork of disaggregated regulations that all tackle cyber resilience in different ways. It could otherwise stifle innovation in really crucial areas of software development like the open source ecosystem. Active communication between the private and public sector will go a long way to avoid that."

Methodology: Sonatype surveyed 217 Cybersecurity Directors in organizations with over £50 million/$50 million revenue in the UK and US respectively.

Share this

Industry News

September 21, 2023

Red Hat and Oracle announced the expansion of their alliance to offer customers a greater choice in deploying applications on Oracle Cloud Infrastructure (OCI). As part of the expanded collaboration, Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes for architecting, building, and deploying cloud-native applications, will be supported and certified to run on OCI.

September 21, 2023

Harness announced the availability of Gitness™, a freely available, fully open source Git platform that brings a new era of collaboration, speed, security, and intelligence to software development.

September 20, 2023

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

September 20, 2023

Sonar announced zero-configuration, automatic analysis for programming languages C and C++ within SonarCloud.

September 20, 2023

DataStax announced a new JSON API for Astra DB – the database-as-a-service built on the open source Apache Cassandra® – delivering on one of the most highly requested user features, and providing a seamless experience for Javascript developers building AI applications.

September 19, 2023

Oracle announced the availability of Java 21.

September 19, 2023

Mirantis launched Lens AppIQ, available directly in Lens Desktop and as (Software as a Service) SaaS.

September 19, 2023

Buildkite announced the company has entered into a definitive agreement to acquire Packagecloud, a cloud-based software package management platform, in an all stock deal.

September 19, 2023

CrowdStrike has agreed to acquire Bionic, a provider of Application Security Posture Management (ASPM).

September 18, 2023

Perforce Software announces BlazeMeter's Test Data Pro, the latest addition to its continuous testing platform.

September 18, 2023

CloudBees announced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.

September 18, 2023

Akuity announced a new open source tool, Kargo, to implement change promotions across many application life cycle stages using GitOps principles.

September 14, 2023

CloudBees announced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.