Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data

SBOMs (Software Bills of Materials) were meant to strengthen software supply chain security. Instead, attacks are increasing, and one researcher believes the problem is not the data itself, but how organizations use it. SBOMs were introduced and made mandatory in 2021. The intention was, and remains, to provide a list of components within software to improve visibility and better secure the supply chain.  While SBOMs provide a detailed software ingredients list, they do not provide information on any known poisons that might affect the ingredients. Vulnerability Exploitability eXchange declarations (VEX statements) were also introduced – a statement on whether a known vulnerability within an SBOM component is exploitable within the context of its use. Together, SBOM and VEX were designed to march in step to defeat the supply chain threat. They have failed. Five years after their introduction, supply chain attacks are more frequent than ever. In March 2026 alone, two attacks (Trivy and Axios) reportedly infected tens of thousands of organizations. Independent security researcher Devashri Datta, whose research has appeared on Zenodo, OpenSSF, Revenera, and more, has been researching the failure of the SBOM/VEX initiative. She talked to SecurityWeek about her current findings. “Software supply chain security isn’t suffering from a lack of data,” she concludes; “it’s suffering from a lack of decision clarity.” The data exists in SBOMs and VEX statements, and vulnerability intelligence and third-party disclosures. “Despite all this data, security and compliance decisions remain inconsistent, difficult to justify, and often reactive. The issue isn’t visibility. It’s interpretation.” There is also a lack of uniformity in the issuance and receipt of fresh SBOMs. While software providers are required to generate a new SBOM for every new software build (updates, patches, new versions), they are not universally required to deliver these new SBOMs to all customers. Some do, and some don’t. In many cases, if the customer doesn’t request updated SBOMs, it might be unaware that the SBOM has changed. This is changing, and global regulations are becoming stricter, but still vary between location and industry. The quality of VEX statements also varies. “VEX has struggled to gain traction,” says Datta, “not because of tooling limitations alone, but because organizations lack confidence in making and defending exploitability assertions. In many cases, this hesitation is driven as much by liability concerns as by technical uncertainty.” The result, she suggests, is “Security teams rely on severity scores without context, engineering teams lack clear consistent decision criteria, and legal teams operate on disconnected disclosure data.” The first requirement is for software customers to ensure they have current data. But then, the bigger problem – in Datta’s view – is not simply owning this data but being able to interpret it. “The real problem,” she says, “is the absence of a governance layer that can interpret changes across SBOMs over time.” So, what is missing is not more data or another tool, but “A unified decision intelligence approach that can operate across these inputs.” This, she continues, “Can be thought of as a governance-driven intelligence layer that interprets SBOMs as lifecycle signals, not just inventories; uses VEX as contextual input, not absolute truth; integrates third-party disclosures into risk reasoning; and produces decisions that are explainable and defensible.” The goal is not automation alone but consistent, auditable decision-making across the lifecycle. This is increasingly urgent and important. So far, SBOM and VEX have failed to reduce supply chain attacks at a time when supply chain threats are increasing. The latest AI models in the hands of attackers have collapsed the time from vulnerability discovery to vulnerability exploitation to just hours or less. With this level of speed, defenders’ reliance on outdated documentation becomes a security liability. At the same time, says Datta, “Regulatory pressure is increasing with SBOM mandates, secure development requirements, and supply chain transparency requirements.” Now is the time to get ahead of the problem. “The real challenge is: ‘Can organizations explain why a decision is made and defend it later?’ Without a unified decision model, the answer is often, ‘No’.” Related: SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility Related: US, Allies Push for SBOMs to Bolster Cybersecurity Related: CISA Requests Public Feedback on Updated SBOM Guidance Related: New UK Framework Pressures Vendors on SBOMs, Patching and Default MFA WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend CoChat Launches AI Collaboration Platform to Combat Shadow AI ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks CISO Conversations: Ross McKerchar, CISO at Sophos ‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI Threats BrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research Findings Can We Trust AI? No – But Eventually We Must Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Mobile Attack Surface Expands as Enterprises Lose Control Latest News After Bluesky, Mastodon Targeted in DDoS Attack Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention  Mirai Botnet Targets Flaw in Discontinued D-Link Routers Claude Mythos Finds 271 Firefox Vulnerabilities North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks Google Antigravity in Crosshairs of Security Researchers, Cybercriminals Oracle Patches 450 Vulnerabilities With April 2026 CPU Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email