Securing the Software Supply Chain by Solving the Lemons Market

April 15, 2025
Categories: Seminar Series

L Jean Camp
Professor of Informatics and Computer Science
Luddy School of Informatics, Computing, and Engineering
Indiana University.

April 17 11am. WWH 335

The Software Bill of Materials (SBOM) is a list of components that can be used to identify any documented vulnerability associated with the enumerated dependencies. Analogies have been made to safety, as with materials safety data sheets, or with allergens listed in general nutrition labels. How can such a simple document play a role in securing the software supply chain? We argue that SBOMs have the potential to significantly resolve the security lemons problem. I introduce the SBOM and illustrate how it can be used to support decision-making in procurement and in code development. I frame this argument using summaries of empirical results; first showing that information in SBOMs aligns with consumer interest. Second, we illustrate that SBOM contains data that purchasers of software find important. This implies that developers may have an incentive to use SBOMs to create more secure code. Third, we report results showing that security-aware consumers will pay more for security in this case leveraging the U.S. Cyber Trust mark. SBOMs may offer an effective and critical step in resolving the security lemons market, and securing the software supply chain.

L Jean Camp is a Professor of Informatics and Computer Science in the Luddy School of Informatics, Computing, and Engineering at Indiana University. She is a Fellow of the Institute of Electrical and Electronics Engineers, a Fellow of the American Association for the Advancement of Science, and a Fellow of the ACM. Jean Camp began her studies in electrical engineering and mathematics in North Carolina at Charlotte. After graduating, she was an engineer at the Catawba Nuclear facility, where she oversaw emergency systems and in-core thermocouples. She returned to graduate school, earning a MSEE at UNCC. She was accepted to the Department of Engineering and Public Policy in Carnegie Mellon, graduating with one of the early dissertations on monetary transactions on the Internet. She then became a Senior Member of the Technical Staff at Sandia National Laboratories in Livermore. A short year later, as Internet commerce’s promise became a booming reality, Harvard’s Kennedy School recruited her. While at Harvard she was also a research affiliate in the Advanced Network Architecture Group at MIT. She joined the newly-formed School of Informatics at Indiana University in Bloomington (IUB) to found the now thriving cybersecurity group.