Software teams rarely question the building blocks they reuse every day. Once a component runs reliably, it tends to stay in place, even as teams lose track of how it was assembled or what it includes.

Twenty years ago, cybersecurity was a slower game. Firewalls and signature databases were enough to keep most attackers out. Threats, for the most part, moved predictably. Updates were scheduled, and downtime was expected.

A software bill of materials (SBOMs) has been touted as a critical tool in solving software supply-chain security issues, but the rapid change of software ecosystems and the complexity of creating an end-to-end verified chain of code continue to foil widespread adoption.