Cloudsmith Survey Reveals SBOM Gaps Ahead of EU Cyber Resilience Act

Severity: Medium (Score: 51.9)

Sources: Syncni, Itbrief

Summary

A recent Cloudsmith survey indicates that most engineering teams are unprepared for the EU Cyber Resilience Act's requirements regarding software bills of materials (SBOMs). Only 25% of engineering teams automatically generate and verify SBOMs at every build, while 74% would struggle to produce comprehensive reports for audits. The survey, which included 505 professionals from the US and UK, found that 44% experienced security incidents due to third-party dependencies in the past year. Additionally, 31% of respondents spend 10 hours or less monthly on validating AI-generated code, and only 17% are confident that AI does not introduce new vulnerabilities. The findings highlight significant operational burdens and risks associated with third-party dependencies and AI-generated code, especially with the impending regulatory demands of the Cyber Resilience Act, which requires detailed assessments within 48 hours of a breach. Key Points: • Only 25% of engineering teams automatically generate and verify SBOMs. • 44% of respondents experienced security incidents from third-party dependencies in the past year. • 31% spend 10 hours or less monthly on oversight of AI-generated code.

Key Entities

• Supply Chain Attack (attack_type)
• Sandworm_mode (campaign)
• Shai Hulud 2.0 (campaign)
• T1195 - Supply Chain Compromise (mitre_attack)
• slopsquatting (vulnerability)