In this episode, Jordi Mon, Marketing Director at System Package Data Exchange (SPDX), discusses the growing concerns about software supply chain security, particularly in the context of open source software. Mon emphasizes the need for transparency and security in the supply chain, with a focus on the importance of SBOMs (Software Bills of Materials) and the challenges of creating and managing them. Mon also raises concerns about the Cyber Resilience Act (CRA) and its potential impact on the software industry.

Understanding Software Supply Chain Security

• As the software supply chain becomes increasingly vital to global infrastructure, the importance of transparency and security cannot be overstated.
• Mon explains the distinction between the software supply chain—the commercial relationships between vendors and clients—and the software dependency chain, which involves the relationships between open-source project maintainers and their consumers. While these relationships might seem similar on the surface, they are fundamentally different in nature.
• While the U.S. has been leading the charge in drafting regulations to mandate the use of SBOMs, Europe is also moving in this direction, albeit at a slower pace.

Responsibility in the Software Supply Chain

• One of the key challenges in implementing SBOMs lies in determining responsibility. With so many players involved in the software supply chain, it can be difficult to pinpoint who should be accountable for creating and maintaining SBOMs.
• Mon highlights that, as it stands, there is no specific regulation that assigns liability for SBOM creation or consumption. However, there is a growing consensus that software creators should attach SBOMs to the components they produce.
• Mon also points out that responsibilities of the SBOM ecosystem are varied and distributed across stakeholders in the software supply chain.

Software supply chain security and transparency

• Not all stakeholders in the software supply chain are eager to embrace SBOMs. Mon  explains that closed-source companies, in particular, may be less inclined to create SBOMs due to security concerns.
• As Mon points out, the development of automated tools and standards like SPDX can significantly reduce the effort required to generate SBOMs.
• During the summit, a live demonstration showed that a minimum viable SBOM could be created in just five minutes—a task that is achievable for almost any organization.

The European Perspective: Cyber Resilience Act

• Mon also touches on the impact of Europe’s proposed CRA on SBOMs. Unlike the U.S., where the software industry is more established and open-source contributions are more prominent, Europe faces challenges in clearly defining the software supply chain.
• The Act, as currently drafted, does not distinguish between commercial software providers and open-source maintainers.
• Stakeholders in the dependency supply chain feel threatened by the Act’s lack of distinction between these two.
• Mon notes that the Linux Foundation Europe and the Eclipse Foundation have both expressed concerns about the Act’s implications as this lack of differentiation could place an undue burden on open-source contributors.

Guest: Jordi Mon (LinkedIn)
Organization: Linux Foundation (Twitter)

This summary was written by Monika Chauhan.