fbpx
Sophic Capital

Subscribe

SBOMs Away!

Mar 31, 2025 | CYBT, Sophic Capital

Why Software Supply Chain Security Has Become a Top Priority

Problem

Modern software constantly changes as new features are added, bugs are fixed, and vulnerabilities are patched. Most people don’t realize that modern software isn’t built from scratch—it’s assembled from many smaller software components, often developed by third parties, i.e. utilizing open-source software. These third-party open-source components are now featured in roughly 97% of software products, boosting innovation but also increasing complexity and risk. Unfortunately, third-party components often receive limited security oversight, making them vulnerable to rapid exploitation when issues emerge, particularly within widely used applications.

To counteract this lack of oversight, visibility and a deep understanding of software supply chain security are paramount. A Software Bill of Materials (SBOM) acts like a detailed ingredient list, enabling organizations to track, monitor, and secure each piece effectively.

The threat from software that carries vulnerabilities is real. It can lead to data breaches, operational disruptions, and even threats to human safety in critical sectors like healthcare, energy, and industrial automation. Comprehensive software monitoring is now a vital security requirement.

The widespread adoption of open-source software has accelerated innovation and reduced time to market for digital products, simultaneously increasing exposure to risks in this software, such as vulnerabilities and supply chain adversarial attacks. A single compromised component can endanger numerous products, highlighting the shift of the attack and their strategic approach of finding one vulnerability in a popular open-source software package and impacting the complete market. This emphasizes the growing importance of SBOMs in cybersecurity practices.

Sophic Capital - Logo - Colour

Cybersecurity Attacks on Software

Several major cyber incidents in recent years have highlighted the risks associated with insecure third-party software components:

  • SolarWinds (2020): Attackers infiltrated SolarWinds’ software build process, distributing malicious updates to thousands of customers, including government agencies and Fortune 500 companies.
  • Log4Shell (2021): A critical vulnerability in the popular Log4j library, enabling attackers to remotely execute code on millions of devices worldwide. Although not initially a targeted attack, it was and continues to be widely exploited in the wild.
  • XZ Backdoor Incident (2023): Attackers gained trust by contributing to the open-source compression tool XZ community over a period of two years, after which they inserted malicious code into the software, nearly compromising widely used Linux distributions—a global crisis narrowly averted.

These incidents demonstrate how vulnerabilities and compromised dependencies can bypass traditional security measures, significantly impacting operations, reputations, and national security.

Regulation

Software is increasingly being regulated globally through mandatory SBOM requirements. Governments and industry bodies are responding with new rules aimed at increasing transparency in software systems. SBOMs have emerged as a foundational requirement in many of these frameworks. An SBOM provides a detailed inventory of every component in a software product, including its origin, license, and known vulnerabilities.

Notable regulatory developments include:

  • S. FDA authority (2023) to require SBOMs for cybersecurity approval of medical devices.
  • EU Cyber Resilience Act mandates SBOMs for products with digital elements.
  • PCI DSS 4.0, effective in 2025, introduces SBOM requirements for custom software used in payment systems.
  • ETSI EN 303 645, a European IoT security standard, pushes SBOMs to support vulnerability management and timely issue response.
  • Automotive AUTO-ISAC promotes SBOM adoption to improve supply chain visibility, vulnerability management, and regulatory compliance across connected vehicle systems.
  • BSI TR-03813, a German guideline outlining use of SBOMs for software transparency and risk assessment in connected devices.

Organizations can meet these new mandates and increase the resilience of their products by documenting and analyzing software components and reducing exposure to known vulnerabilities.

Sophic Capital - Logo - Colour

Operational and Strategic Benefits of SBOMs

Beyond compliance, SBOMs provide clear operational value. They enable security and procurement teams to:

  • Identify and address vulnerabilities more quickly.
  • Evaluate software suppliers based on the quality and safety of their components.
  • Maintain real-time visibility over deployed software assets.

SBOMs allow for rapid triage during an incident, identifying which systems are affected and which are not. This improves response time for risk remediation and mitigation.

Industry Context: The Rise of Supply Chain Security

The demand for SBOM solutions is growing across industries. Organizations managing critical infrastructure, such as power grids and telecom companies, incorporate SBOMs into their procurement and monitoring practices. Enterprises are beginning to assess software not just on features or cost but also on supply chain integrity and security.

As this sector evolves, vendors are developing platforms that help organizations create, manage, and use SBOMs in scalable ways by leveraging automation. Sophic Capital client Cybeats Technologies Corp. [CSE:CYBT, OTCQB:CYBCF] is building infrastructure that aligns software transparency with operational needs. Their platforms are designed to integrate into enterprise environments and provide continuous visibility across software lifecycles.

Looking Ahead

In 2024 alone, over 40,000 vulnerabilities were reported to the National Vulnerability Database, reflecting the growing fragility of digital infrastructure. SBOMs are no longer optional and are quickly becoming a non-negotiable element of modern cybersecurity strategy. They are part of a broader shift toward proactive cybersecurity and transparent risk management.

Coming up…

In Sophic Capital’s next report we’ll detail Sophic Capital client Cybeats Technologies Corp. [CSE:CYBT, OTCQB:CYBCF], a global leader in software supply chain security. We’ll look at Cybeats’ SBOM solutions and its competitive environment.

For More Research

Access more Cybeats Technologies Corp. research HERE

Sign up for Sophic Capital’s reports HERE

Disclosures

Cybeats Technologies Corp. [CSE:CYBT, OTCQB:CYBCF] has contracted Sophic Capital for capital markets advisory and investor relations services.

Disclaimers

The information and recommendations made available through our emails, newsletters, website and press releases (collectively referred to as the “Material”) by Sophic Capital Inc. (“Sophic” or “Company”) is for informational purposes only and shall not be used or construed as an offer to sell or be used as a solicitation of an offer to buy any services or securities. In accessing or consuming the Materials, you hereby acknowledge that any reliance upon any Materials shall be at your sole risk. None of the information provided in our monthly newsletter and emails or any other Material should be viewed as an invite, and/or induce or encourage any person to make any kind of investment decision. The recommendations and information provided in our Material are not tailored to the needs of particular persons and may not be appropriate for you depending on your financial position or investment goals or needs. You should apply your own judgment in making any use of the information provided in the Company’s Material, especially as the basis for any investment decisions. Securities or other investments referred to in the Materials may not be suitable for you and you should not make any kind of investment decision in relation to them without first obtaining independent investment advice from a qualified and registered investment advisor. You further agree that neither Sophic, its, directors, officers, shareholders, employees, affiliates consultants, and/or clients will be liable for any losses or liabilities that may be occasioned as a result of the information provided in any of the Material. By accessing Sophic’s website and signing up to receive the Company’s monthly newsletter or any other Material, you accept and agree to be bound by and comply with the terms and conditions set out herein. If you do not accept and agree to the terms, you should not use the Company’s website or accept the terms and conditions associated to the newsletter signup. Sophic is not registered as an adviser or dealer under the securities legislation of any jurisdiction of Canada or elsewhere and provides Material on behalf of its clients pursuant to an exemption from the registration requirements that is available in respect of generic advice. In no event will Sophic be responsible or liable to you or any other party for any damages of any kind arising out of or relating to the use of, misuse of and/or inability to use the Company’s website or Material. The information is directed only at persons resident in Canada. The Company’s Material or the information provided in the Material shall not in any form constitute as an offer or solicitation to anyone in the United States of America or any jurisdiction where such offer or solicitation is not authorized or to any person to whom it is unlawful to make such a solicitation. If you choose to access Sophic’s website and/or have signed up to receive the Company’s monthly newsletter or any other Material, you acknowledge that the information in the Material is intended for use by persons resident in Canada only. Sophic is not an investment advisor, nor does it maintain any registrations as such, and Material provided by Sophic shall not be used to make investment decisions. Information provided in the Company’s Material is often opinionated and should be considered for information purposes only. No stock exchange or securities regulatory authority anywhere has approved or disapproved of the information contained herein. There is no express or implied solicitation to buy or sell securities. Sophic and/or its principals and employees may have positions in the stocks mentioned in the Company’s Material and may trade in the stocks mentioned in the Material. Do not consider buying or selling any stock without conducting your own due diligence and/or without obtaining independent investment advice from a qualified and registered investment advisor. The Company has not independently verified any of the data from third party sources referred to in the Material, including information provided by Sophic clients that are the subject of the report, or ascertained the underlying assumptions relied upon by such sources. The Company does not assume any responsibility for the accuracy or completeness of this information or for any failure by any such other persons to disclose events which may have occurred or may affect the significance or accuracy of any such information.

The Material may contain forward looking information. Forward-looking statements are frequently, but not always, identified by words such as “expects,” “anticipates,” “believes,” “intends,” “estimates,” “potential,” “possible,” “projects,” “plans,” and similar expressions, or statements that events, conditions or results “will,” “may,” “could,” or “should” occur or be achieved or their negatives or other comparable words and include,  without limitation, statements regarding, projected revenue, income or earnings or other results of operations, strategy, plans, objectives, goals and targets,  plans to increase market share or with respect to anticipated performance compared to competitors, product development and adoption by potential customers. These statements relate to future events and future performance. Forward-looking statements are based on opinions and assumptions as of the date made and are subject to a variety of risks and other factors that could cause actual events/results to differ materially from these forward-looking statements. There can be no assurance that such expectations will prove to be correct; these statements are no guarantee of future performance and involve known and unknown risks, uncertainties and other factors. Sophic provides no assurance as to future results, performance, or achievements and no representations are made that actual results achieved will be as indicated in the forward-looking information. Nothing herein can be assumed or predicted, and you are strongly encouraged to learn more and seek independent advice before relying on any information presented.