SBOMs in 2026: Acknowledging the Gap Between Theory and Practice

Know Your Software

Software Bills of Materials (SBOMs) were envisioned as a critical solution to software supply chain security issues, but experts disagree on their practical utility in 2026. While Docker has fully embraced SBOMs in its Hardened Images, achieving end-to-end verification and widespread adoption remains a significant challenge due to the dynamic nature of software ecosystems.

Why This Matters

The ideal of a complete and accurate SBOM – a comprehensive list of software components – clashes with the reality of incomplete data from open-source projects and the complexities of modern build processes. Inaccurate or late-generated SBOMs offer a false sense of security, potentially costing organizations significant resources in vulnerability remediation and incident response, with potential financial and reputational damage from supply chain attacks.

Key Insights

• 69% of software developers cite a lack of knowledge or expertise as the top reason for failing to adopt SBOMs: Kloeg, Berend, et al., “Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach”
• SLSA (Supply chain Levels for Software Artifacts) provides a framework for verifying build integrity: It’s gaining traction as a complementary approach to SBOMs, focusing on securing the build process itself.
• AI Bills of Materials (AI BOMs) are emerging: Reflecting the need to track provenance and dependencies within AI systems, mirroring the principles of traditional SBOMs.

Practical Applications

• Use Case: Docker utilizes SBOMs and SLSA Level 3 verification for its Hardened Images, ensuring minimal software components and a verifiable supply chain.
• Pitfall: Generating SBOMs as a final build step can result in inaccurate manifests, providing a false sense of security and failing to reflect the actual software shipped.

References:

• https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence