Bad software cost US businesses $2.41 trillion in 2022
December 7, 2022 – Published on SC Magazine
Poor software quality may have cost the U.S. at least $2.41 trillion this year, nearly double that of the country’s budget deficit.
The number of software supply chain failures related to open source components increased by a whopping 650% between 2020 and 2021. Perhaps not coincidentally, 77% of organizations reported a wider adoption of open source software during the year.
Significant parts of the software sold in commercial systems are pulled from free repositories or other sources, and few companies put time into documenting the provenance of each line of code. Such bills – or “SBOMs” as they’re often called – function as lists of code snippets or components that make up different software programs. In theory, they can be leveraged when a new vulnerability is discovered to quickly identify other programs and systems that rely on the same vulnerable code, providing defenders with a map of assets that need to be patched or remediated.
But few organizations actually develop SBOMs today. The Biden administration has tasked the the Cybersecurity and Infrastructure Security Agency and the National Institute for Standards and Technology with developing a framework to promote the creation and implementation of SBOMs better manage vulnerabilities like Log4J and SolarWinds that are deeply embedded across industry and other sectors.
However, major industry players have expressed reluctance with any mandates around the concept. Just last week, several trade groups, including the U.S. Chamber of Commerce and the Cybersecurity Coalition, published an open letter asking Congress to delay SBOM for defense contractors until the ecosystem matures.
Kristen Bell, director of application security at GuidePoint Security, told SC Media that the arguments in the open letter are reasonable and worth considering.
To build a mature SBOM, organizations and policymakers need to work together to ensure that new legislation does not introduce unintended consequences.
“Lawmakers need to rely on the opinions of technical experts, and there should be an evaluation of how some in the private sector address third-party vendor management. For example, many third-party vendor management processes require a [nondisclosure agreement] to be in place prior to a software vendor exposing details of their applications to the prospective buyer,” she said.
Read More HERE.