Overcoming barriers to SBOM adoption across the software development lifecycle

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago – Cyber governance, risk management, and continuous control monitoring in a single platform

🏄‍♀️ Upwind Security – Real-time cloud security that connects runtime to build-time to stop threats and boost DevSecOps productivity

🤖 Akeyless – The unified secrets and non-human identity platform built for scale, automation, and zero-trust security

🧠 Ridge Security – The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

Software Bills of Materials (SBOMs) have emerged as a critical component of modern cybersecurity and supply chain management. Despite widespread recognition of their importance, organizations continue to face significant barriers in implementing and maintaining robust SBOM practices across their software development lifecycle (SDLC). This whitepaper analyzes the primary obstacles preventing successful SBOM adoption, drawing on recent industry data and expert insights from 2024-2025.

The research identifies four major categories of barriers: technical challenges including lack of standardization and tool maturity; organizational and cultural resistance stemming from resource constraints and knowledge gaps; regulatory and compliance complexities arising from evolving mandates; and quality and effectiveness issues that undermine SBOM value. These barriers manifest differently across industries, with healthcare and finance leading adoption due to regulatory pressure, while technology companies struggle with scale and complexity despite having technical expertise.

Key findings reveal that while 76% of large enterprises have adopted SBOMs following regulatory mandates, many organizations generate SBOMs only once during pipeline builds and fail to maintain them throughout the software lifecycle. The most significant barriers include vulnerability misclassification (cited by 60% of developers), lack of knowledge and awareness (reported by 100% of developers and 67% of system integrators), and poor SBOM quality (identified by 100% of B2B organizations and 80% of developers).

To overcome these challenges, organizations must adopt a strategic approach that includes investing in automation and tooling, developing SBOM skills and ownership, starting with high-risk areas, making SBOMs actionable within risk management frameworks, and fostering a culture of transparency. Success requires top-down commitment, integration with existing security workflows, and continuous improvement based on lessons learned from early implementations.

For CISOs, addressing these barriers is essential not only for regulatory compliance but for strengthening overall cybersecurity posture. Organizations that successfully implement robust SBOM practices will be better positioned to respond to supply chain threats, meet customer requirements, and maintain competitive advantage in an increasingly complex software ecosystem.

Introduction

The software supply chain has become increasingly complex, with modern applications relying on hundreds or thousands of dependencies, open-source components, and third-party libraries. This complexity creates significant security risks, as demonstrated by high-profile attacks like SolarWinds (2020) and Log4j (2021). In response, Software Bills of Materials (SBOMs) have gained prominence as a critical tool for enhancing supply chain transparency and security.

An SBOM is essentially an inventory of all components, libraries, and dependencies within a software product, analogous to an ingredient list for food products. SBOMs enable organizations to quickly identify which systems are affected by newly discovered vulnerabilities, facilitating faster incident response and more effective risk management.

Despite growing recognition of their importance, many organizations struggle to implement and maintain robust SBOM practices. Surveys indicate that while awareness is high, actual implementation remains challenging. Recent data shows that even among organizations that have adopted SBOMs, many fail to keep them updated or integrate them effectively into their security workflows.

This whitepaper examines the barriers preventing successful SBOM implementation, analyzing technical, organizational, regulatory, and quality-related challenges. It provides industry-specific insights and strategic recommendations for Chief Information Security Officers (CISOs) seeking to overcome these obstacles and build effective SBOM capabilities.

The analysis draws on recent industry surveys, expert interviews, and case studies from various sectors including healthcare, finance, and technology. The findings reflect the current state of SBOM adoption as of 2025, incorporating lessons learned from early implementations and evolving regulatory requirements.

Understanding these barriers is crucial for organizations seeking to strengthen their software supply chain security. As regulatory pressure increases and customer demands for transparency grow, the ability to implement and maintain robust SBOMs will become a competitive differentiator and operational necessity.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.