Supply Chain Security Under Scrutiny
Software Bills of Materials (SBOMs) were introduced to bolster security within software supply chains. However, the frequency of attacks continues to rise, suggesting that the challenge lies not in the data itself, but in how it is utilized by organizations. This insight comes from security researcher Devashri Datta, who has extensively studied the effectiveness of SBOMs.
Enacted in 2021, SBOMs were designed to enhance transparency by listing software components. Despite this, they fall short of identifying vulnerabilities within those components. The Vulnerability Exploitability eXchange (VEX) statements were developed to address this gap by assessing exploitability risks. Yet, the combination of SBOM and VEX has not curbed the escalation of supply chain threats.
Challenges in Data Utilization
Five years post-implementation, supply chain attacks remain prevalent. In March 2026 alone, two significant incidents involving Trivy and Axios affected numerous organizations. Datta’s research, featured in platforms like Zenodo and OpenSSF, highlights a critical issue: it’s not the absence of data, but the clarity of decision-making that is lacking.
Data from SBOMs, VEX statements, and third-party disclosures are available. Still, security and compliance decisions are often inconsistent and reactive. Datta points out that the issue isn’t visibility, but the interpretation of data. Moreover, there is inconsistency in issuing and receiving updated SBOMs, leading to potential security gaps.
The Role of Governance in Security
As global regulations tighten, inconsistencies persist across industries and regions. Datta notes that VEX statements struggle for acceptance, not due to technical limitations, but because organizations hesitate over liability and technical uncertainties. This results in reliance on severity scores without context, creating challenges for security, engineering, and legal teams alike.
Datta emphasizes the necessity for a governance layer capable of interpreting changes in SBOMs over time. Such a layer would integrate data from SBOMs, VEX, and third-party disclosures, enabling informed, defensible decisions.
Future Outlook and Urgency
Advancements in AI have rapidly decreased the time from vulnerability discovery to exploitation, underscoring the urgency for improved security measures. Datta warns that outdated documentation cannot keep pace with these threats. Current regulatory pressures, including SBOM mandates and development requirements, further highlight the need for robust security frameworks.
The pressing question remains: Can organizations defend their decision-making processes? Without a unified decision model, the answer is often negative. Moving forward, the focus must shift towards creating a decision intelligence framework that enhances lifecycle management and fortifies supply chain security.
