In the last week, Qualys and Dynatrace, firms within the cybersecurity industry, confirmed that they themselves had been swept up in a supply chain attack on the Salesloft Drift marketing platform.
With it, OAuth tokens were stolen, Salesforce data exposed, and attackers slipped in through a trusted third-party integration.
To emphasise, the breach did not stem from their core platforms but from a digital ecosystem they depended on.
The incident landed just as the US and 14 allies issued landmark guidance on software bills of materials (SBOMs) – with this, it’s clear that both the urgency and global attention are now directed at software supply chain security.
So what are SBOMs, how can they help, and what’s causing these vulnerabilities? TechInformed hears from supply chain experts from Lineaje, Schneider Electric, and Enterprise Strategy Group.
A shared vision for SBOMs
An SBOM, or Software Bill of Materials, is essentially a detailed inventory of all the components that make up a piece of software, including open source libraries, third-party code, and dependencies.
Often likened to an ingredient label on food packaging, it matters because most modern applications are assembled from hundreds of external parts, and a hidden flaw in one dependency can expose an entire system.
By maintaining SBOMs, organisations can simply identify vulnerabilities, respond quickly to incidents, and reassure regulators and customers that their software supply chain is secure.
On 3 September, 21 government agencies from 15 countries, including the US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and Japan’s Ministry of Economy, Trade and Industry, published A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity.
The document sets out a common definition of SBOMs, describes their value, and calls for harmonised technical implementations to reduce cost and complexity.
“This milestone reflects a growing international consensus on the importance of software transparency in securing the digital supply chain,” a CISA spokesperson said.
Lukáš Kintr, director of the Czech National Cyber and Information Security Agency, added: “SBOM brings essential transparency into this complex environment and clearly shows what the software is made of. I regard SBOM as a key step toward creating truly secure and resilient software – already from its design.”
Industry under pressure
Melinda Marks, practice director for cybersecurity at analyst firm Enterprise Strategy Group (ESG), stressed that organisations are struggling to secure their rapidly evolving software ecosystems.
“Organisations face growing pressure from AI, open-source adoption, and fast release cycles, but many still rely on fragmented or manual processes,” Marks warned at The Software Supply Chain Security Summit in Vegas.
ESG’s survey data shows that 70% of organisations already use open-source software, with most of the remainder planning to adopt it.
But visibility into developer environments and third-party code remains patchy. Although 74% of companies claim to have robust supply chain security programmes, only 25% generate SBOMs, and 41% still rely on manual code analysis.
“Security teams have to become enablers, not blockers, if they want to keep pace with modern development,” Marks said.
That gap between perception and reality was reiterated by Javed Hasan, chief executive of software security firm Lineaje. “Every breached company we’ve seen has been compliant. Compliance drives budgets, but compliance doesn’t equal security,” he said.
Essentially, many organisations equate compliance with security, passing audits and reporting, but still do not guarantee meaningful protection.
“When we show customers what’s actually in their software, they’re usually shocked,” he claims.
Cassie Crossley, vice-president of supply chain security at Schneider Electric, noted that developer environments are still often neglected. “HR, finance, IT systems are usually covered, but dev machines, VMs, and cloud environments, where core infrastructure is built, are often ignored.”
AI as risk and remedy
Generative AI intensifies the problem. It is now common for developers to assemble code rather than write it, often using AI-generated snippets whose provenance is unclear – in other words, “vibe coding.”
While some argue that AI could eventually reduce vulnerabilities, experts caution against complacency.
“Code is code,” said IDC analyst Katie Norton. “What matters is that you’re testing, validating, and securing it. The bigger risks are often overlooked: CI/CD security, build environments, developer identities.”
Crossley points out an optimistic angle: “AI could help us map risks across decades of legacy code in multiple languages and identify attack paths no human has time to find.
“That’s where trust will come from – using AI not just to speed development, but to illuminate the risks in systems we already depend on.”
Toward proactive investment
The impacts of software supply chain breaches extend beyond IT, from regulatory fines to operational disruption and reputational harm, according to Melinda Marks. Yet, as she observed, many firms only allocate fresh budget after an incident. “It’s a reactive cycle that needs to shift toward proactive investment.”
The new joint SBOM guidance aims to help accelerate that shift, giving governments and industries a common framework.
Nobutaka Takeo, a director at Japan’s Ministry of Economy, Trade and Industry, celebrated how software security is being recognised internationally through the guidelines: “We will continue to raise awareness of SBOM.”
