- Title:
- Securing the Software Supply Chain by Solving the Lemons Market
- Abstract:
- The Software Bill of Materials (SBOM) is a list of components that can be used to identify any documented vulnerability associated with the enumerated dependencies. Analogies have been made to safety, as with materials safety data sheets, or with allergens listed in general nutrition labels. How can such a simple document play a role in securing the software supply chain? We argue that SBOMs have the potential to significantly resolve the security lemons problem. I introduce the SBOM and illustrate how it can be used to support decision-making in procurement and in code development. I frame this argument using summaries of empirical results; first showing that information in SBOMs aligns with purchaser interest. Second, we illustrate that SBOM contains data that purchasers of software find important. This implies that developers may have an incentive to use SBOMs to create more secure code. Third, we step back and discuss consumer preferences. If the lemons market were resolved, would consumers pay for security? We close with a quick summary of results showing that security-aware consumers will pay more for security in this case leveraging the U.S. Cyber Trust mark.

Speaker: L Jean Camp
- Provost Professor
- Luddy School of Informatics, Computing, and Engineering
- Indiana University
L. Jean Camp is a Professor in the School of Informatics and Computer Science at Indiana University, in Informatics and Computer Science. She has recently been selected as a member of the National Academy of Artificial Intelligence. She is a Fellow of the American Association for the Advancement of Science, a Fellow of ACM, a Fellow of the Institute of Electrical & Electronics Engineers, and has been inducted into the Sigma Xi honor society. She joined Indiana after eight years at Harvard's Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT. She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station with a MSEE at University of North Carolina at Charlotte.