2024 was a tale of two tails for many in the Software Composition Analysis (SCA) industry. Having spoken with several executives from various SCA companies it was fascinating to learn that many of us had a very similar experience to our business pattern. The tailwinds of Q4 2023 helped kick off a strong start to the year, only to see a pause in momentum towards the halfway mark. July and August, then, were some of the slowest months we have seen in years. As this difficult business climate looked to grab a foothold, seemingly overnight, Q4 2024 ramped up putting the industry back on track for the year. Is 2025 going to establish a similar pattern or pave its own path forward. Let’s examine what trends we think will emerge in 2025…
1. SCA will give way to SBOM Management
Government regulatory standards have been defined for several years, establishing the requirement for private industry to adopt a software bill of materials (SBOM) for every product it markets. Late in 2023 it seemed like the US was poised to begin broad enforcement of this new standard. Outside of the US Food and Drug Administration’s enforcement efforts within the medical device industry, however, in 2024, governments mostly maintained a collaborative approach continuing to encourage adoption.
These public-private collaboration efforts highlighted that the true challenge of SBOMs is managing the SBOM workflow, not generating an SBOM. Several SCA companies introduced “SBOM Management” as a new capability or feature of their tool(s). None of these solutions had any significant impact. Largely, the new capabilities were limited to ingesting SBOMs and combining multiple SBOMs into a single larger SBOM. This is far from SBOM Management. 2025 will see the introduction of robust SBOM Management tools that will provide validation of the structure of an SBOM, verification of the data within the SBOM, augmentation of missing data or correction of incorrect data, normalization of the data between disparate tools, and creation of SBOMs for mass distribution.
SCA technologies that fail to evolve with the SBOM requirement will be left behind by the market.
2. Private Industry will drive SBOM adoption, not regulatory compliance
On a global scale, governments are still defining SBOM requirements and 2026 seems to be the true adoption timeline for enforcement. However, as the SBOM standard was first defined in 2021, various industries have been refining the SBOM standard and 2024 saw the first stages of broad agreement on the adoption of the SBOM within industries such as Automotive, Healthcare, and Financial Services.
Under the moniker of Software Supply Chain Security, several of the largest private companies in these industries have adopted the SBOM and are driving that requirement down through their supplier ecosystems. These requirements have been codified in the terms and conditions of their contracts. As a result, 2025 will see the broad adoption of SBOMs through private industry, not government regulation. One could argue it has been the collaborative nature of the interactions between governments and industry that has led to this. Either way, putting off the SBOM requirement to 2026 will not likely be an option.
3. The Emergence of the SBOM Troll
The new regulatory standards requiring the creation and delivery of SBOMs on a broad scale will have very positive effects for governments and organizations as they relate to their abilities to manage the risks associated with Open Source Software. Today, the primary risk associated with Open Source Software is security related. In 2025, we will begin to see industry take license violation risk more seriously. While license risk has long been analyzed and mitigated as part of Mergers and Acquisitions (M&A) due diligence, broad adoption of best practices on identifying and managing this risk elsewhere has not happened.
With the emergence of the SBOM, a listing of all the unique components used to create a particular application, it will now become much easier for outside interests to learn the complete makeup of a piece of software. To date, one reason license risk has been ignored is that even if an application included a piece of software and the license terms of that included software were being violated, no one would ever know it was there. While the SBOM is supposed to be a confidential piece of information it is inevitably going to be exposed. This exposure will lead to the emergence of legal actors looking to profit, just as we have seen from Copyright and Trademark trolls.
2025 Outlook
2025 will be a year of accelerated evolution for the Software Composition Analysis industry. We have already seen an influx of new entrants into the SCA space due to the SBOM requirement of regulatory standards in the US, EU and beyond. However, we will now see just as many companies left behind as organizations realize the depth of the challenge to create and manage SBOMs. SCA solutions that cannot address both Security and License risk will have a difficult time. Existing SCA tools and new SBOM Management tools will have to demonstrate they can provide more than simply the ability to ingest and combine SBOMs. They will need to be able to enable automated workflows to validate, verify, augment, store, and disseminate SBOM data.
At FossID, through our SCA tooling and professional services, we’re excited to meet these challenges head on with our clients and partners. What are your thoughts?
