What's Happening?
Software Bills of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) declarations were introduced to enhance software supply chain security by providing detailed lists of software components and their vulnerabilities. However, despite these
measures, supply chain attacks have increased significantly. In March 2026, two major attacks, Trivy and Axios, affected tens of thousands of organizations. Independent security researcher Devashri Datta highlights that the issue lies not in the availability of data but in the interpretation and decision-making processes surrounding it. The lack of a unified governance layer to interpret changes in SBOMs over time is a critical gap. Additionally, the inconsistent issuance and receipt of updated SBOMs and the varying quality of VEX statements contribute to the problem.
Why It's Important?
The rise in supply chain attacks poses a significant threat to cybersecurity, impacting numerous organizations and potentially leading to data breaches and financial losses. The failure of SBOMs and VEX to mitigate these threats underscores the need for improved decision-making frameworks and governance in cybersecurity. As regulatory pressures increase, organizations must adapt to ensure compliance and protect their supply chains. The current situation highlights the importance of developing a unified decision intelligence approach that can provide consistent, auditable decision-making across the software lifecycle. Without such measures, organizations remain vulnerable to rapidly evolving threats, exacerbated by advanced AI models that reduce the time from vulnerability discovery to exploitation.
What's Next?
Organizations are likely to face increasing regulatory demands to enhance supply chain transparency and security. This may involve adopting new governance models that integrate SBOMs, VEX, and third-party disclosures into a cohesive decision-making framework. Security teams will need to focus on developing explainable and defensible security decisions to meet regulatory requirements and protect against future attacks. As the threat landscape evolves, there will be a push for more robust security measures and collaboration between the private sector and government to address these challenges effectively.
