-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from bunnyshebash/updatesv1
resolving #13
- Loading branch information
Showing
1 changed file
with
20 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| We claim in our goals and purpose that there are barriers to SBOM adoption. We should be more clear about this. | ||
|
|
||
| Rather than just claim this is true, we should find a way to determine this with data. Are there existing studies on the topic we can reuse? Is someone willing to conduct a survey with this group? | ||
|
|
||
| How can we move this question forward in a scientific manner that isn't made up data. | ||
|
|
||
|
|
||
| To claim that there are barriers to adoption simply because different formats, structures, and tools exist is to reduce issues of complexity to the issues of impediments and doesn't actually paint a picture as to *how* such complexity poses challenges to SBOM adoption. In order to move this issue forward in a scientific manner, claims regarding barriers to adoption, adoption rates, and SBOM readiness and maturity need to be substantiated by data. In order to flesh out the current barriers to SBOM adoption, we need to assess quantitative or qualitative data regarding the challenges that entities or individuals face in their SBOM journey. | ||
|
|
||
| The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exempler data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption. | ||
|
|
||
| The Linux report categorizes respondents into three readiness levels, *SBOM Procrastinators*, *SBOM Early Adopters*, and *SBOM Innovators*. Procrastinators include respondents who have not started to address SBOMs, and respondents who are planning how to address SBOMs, or beginning to address SBOMs. SBOM procrastinators account for 24% of total respondents; 41% of SBOM procrastinators (10% of the overall sample) have not started their SBOM journey, while 58% of SBOM procrastinators are planning to address or beginning to address SBOMs. | ||
|
|
||
| SBOM Early Adopters include respondents who have addressed producing or consuming SBOMs across some portion of their business. SBOM Early Adopters account for 53% of the total sample: 29% are addressing SBOMs in a few segments of their business, 42% across some segments, and 28% are addressing SBOMs across many segments. SBOM Innovators include organizations that are highly committed and experienced in SBOM use. Innovators account for 23% of the total sample: 62% are addressing SBOMs across almost all segments of their business while 38% have standard practices in place for using SBOMs. | ||
|
|
||
| Accounting for barriers to adoption along these lines is warranted. Conducting deeper analysis or user research may account for why (1) 10% of the overall study sample have not started their SBOM journey, while also providing insight into adoption barrier composition and how these barriers are (2) accounted for and overcome in the planning phase and beginning to plan phase also experienced by *SBOM Procrastinators*. To be clear, segments (1) and (2) just mentioned together comprise the *SBOM Procrastinator* readiness level as defined by the LF Report. | ||
|
|
||
| Comparison of (A) SBOM readiness levels to (B) plans to produce SBOMs reveals that organizations may not be as far along as "readiness" would suggest. While 14% of the sample indicated that they were in planning/beginning phase of SBOM readiness, 40% of the overall sample is in the SBOM production planning phase (i.e. will be producing SBOMs in the next 6-24 months). While 38% claimed they were addressing SBOMs in a "few or some" segments, only 20% of the overall sample indicated they are producing SBOMs in a "few or some segments". | ||
|
|
||
| These are just a few examples of the critical role of qualitative and quantitative data. Next steps may include (1) a adding a comprehensive executive summary of the LF SBOM report, (2) identifying and validating our problem set, (3) identifying remaining problems that are not addressed by available data, (4) drafting a research plan to address remaining questions. |