Executive Order 14028 Requires that Software Consumers assess SBOMs and related compliance artifacts when software is procured or upgraded. How do they get those SBOMs from their software sellers? We discuss how software producers, software sellers, and software consumers can collaborate to mitigate risk and improve the software they are all so deeply vested in.

The Software Distribution Chain

The software distribution chain — call it the Software Consumption Chain- serves as a large ecosystem through which software producers can deliver their software to their consumers. This chain delivers revenue to the software supply chain for its existence and growth. According to Statista, Global IT spending exceeded $4.4 trillion in 2022. Millions of organizations purchase software every year- with one thing in common: They don’t know what’s in the software they buy and how to assess it.

This vast distribution chain consists of:

• Software producers who toil hard to create great software we all use. They select components from a vast software ecosystem including open source software and build their own intellectual property on top of it. They package and deliver/deploy it. This software is then monetized through direct sales, indirect sales channels, System Integrators, MSPs, and others. All revenue flows through these routes to software producers and sustains their vast software ecosystem.
• Software consumers unlock the value locked inside the creations of software producers. They use this software to solve business and technical problems. The more value they create with each software they use, the more valuable it becomes. Without software consumers, software producers will not exist. However, software consumers have a significant concern — they spend significant resources to configure, manage, update, and upgrade the software they use. As their digital sprawl increases, software management, and security efforts are overwhelming them.
• Software sellers help software producers reach software customers. Software sellers sell directly to our customers; they are with our distributors and resellers and system integrators. They learn the software they sell. They are passionate about the value it can create. And they passionately toil to ensure that software consumers are taken care of. They make the business of software possible.

As this great software distribution chain creates more than $5 trillion in value and wealth in 2024, there is a concern- will my software producer put my business at risk? Just like you need to know what’s in the food you buy, software consumers need to know what is in the software they buy from you. They need the ability to assess their ingredients. If there are bad ingredients, it affects not just the software producer but everyone in the software distribution chain.

Everyone understands that most software is imperfect- but knowing the inherent risks in software helps them stay safe while operating this software. A fully Accurate, Attested, Assessed, and Compliant SBOM helps them select and operate the best software for their business needs. Transparency creates better, more secure usage of the software.

Hence, Executive Order 14028 is driving this transparency. However, software sellers have a new friction point in their well-oiled machines. They must ensure that attested and compliant SBOM gets to the right software consumer when needed. They have a huge stake in the success of both software producers and consumers.

Building an accurate SBOM is challenging, Distributing it privately & securely is complex

As software moves from software developers to software sellers, it changes in deep ways. This causes specific challenges for the distribution chain that must be addressed.

1. Software producers build products, Software consumers buy SKUs: Software producers build software products but sell software SKUs. So, our sellers sell SKUs. SKUs differ from products for many reasons-language, currency, bundling, unbundling, governmental regulations, compliance, technical stack support, and many other reasons. Each product that we create may ship in hundreds of configurations, and tens of languages be assembled into attractive bundles that delight software consumers. This allows us to deliver just the right value and product configuration to each consumer. This takes us to the first wrinkle of the distribution chain — can you publish and share an accurate SBOM per SKU you sell?
2. SBOMs and their attestations are valuable. Should they be public and available to everyone or privately distributed? With 70–80 percent of software made up of third-party and open-source components, SBOMs reveal the recipe of the software they are associated with. Most software producers we have spoken to want to publish their SBOM and artifacts privately only. So, we want to ensure private, controlled sharing but at the same time maintain the benefit of frictionless selling. The right balance between privacy and sharing of published SBOMs has to be struck.
3. Everyone needs to share SBOMs. So how how do you control sharing of SBOMs and artifacts? Sellers at Software Producing organizations need the ability to share SBOM and artifacts with their Customers during and after the sales cycle. The indirect channel needs to do so as well. Distributors need to share with resellers, and resellers with software consumers, and so on and so forth. They all want to be able to share a published SBOM and artifacts as needed. Additionally, the Software Consumer needs the ability to enable multiple people in their organization to access and assess SBOMs- from licensing terms to searching for a newly discovered vulnerability to Open-source usage or to Assess Third Party Risk. And at the same time, losing control over the SBOM and artifacts can cause all kinds of challenges. The ability to share SBOMs with full visibility and control over them is critical.
4. Producers create product portfolios, Consumers buy from many vendors, Distributors deal with everyone & new software versions appear faster every day. No one manages only one product and one version. The Distribution chain and software consumers have hundreds of products — all evolving. Software consumers need access to the SBOM and related artifacts of every version of all their vendors products. Not only that, but they also need the same from all their vendors. Software sellers rarely sell a single product. Software distributors distribute entire portfolios from hundreds and thousands of vendors. Software consumers buy hundreds of products every year. And SBOMs and their artifacts are digital artifacts that are complex and can contain thousands of component details. We need a distribution chain solution that can scale for these environments.

So, to comply, assess, attest, update, search, remediate, to understand risk — the software distribution chain needs a solution much beyond an immutable, attested, assessed, compliant SBOM.

Well…the software distribution chain has a software supply chain problem! Software not built securely will compromise its customers and the whole $5 trillion eco-system loses.

Luckily, there is a solution to that tailor-made for the distribution chain. Talk to Lineaje Inc.

Evaluate our new SBOM360 Hub for Software Consumers, distributors and resellers.