OWASP Expands SBOM Capabilities, Accelerating Innovation and Supply Chain Risk Reduction

OWASP CycloneDX v1.4 Now Available

Wakefield, Massachusetts Jan 12, 2022 (Issuewire.com)  - OWASP today, launched an updated version of the CycloneDX Software Bill of Materials (SBOM) standard. CycloneDX version 1.4 adds significant new cybersecurity capabilities aimed at driving innovation and increasing the operational efficiency of SBOM across the software supply chain.

With this release, CycloneDX adds the ability to communicate vulnerabilities and their exploitability for software-defined in a bill of materials. This capability, known as Vulnerability Exploitability Exchange (VEX), works with SBOMs, forming a comprehensive view of possible risk. Together, the combination of SBOM and VEX can significantly reduce the efforts and costs associated with vulnerability management.

VEX is an integral part of the CycloneDX standard, providing the convenience of leveraging a single format and toolchain. Automated analysis of CycloneDX SBOMs and VEX is further made possible by a formal Uniform Resource Name (URN) namespace, currently in review by IETF, which will provide deep-linking capabilities between SBOMs and VEX.

“VEX is the biggest contextual information gap for widespread and efficient SBOM transparency across the software supply chain,” said Patrick Dwyer, co-lead of the CycloneDX Core Working Group. “Today, we are introducing new capabilities for suppliers to accurately and efficiently communicate third party component vulnerability risks in the context of their assembled software, systems, and embedded devices."

The CycloneDX standard exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA). Adopting CycloneDX allows organizations to quickly meet these minimum requirements and mature into using more sophisticated use cases over time.

“We’ve had tremendous support from the community in the development of version 1.4,” says Steve Springett, co-lead and Chair of the CycloneDX Core Working Group. “The advancements made in this release provide a springboard to further adoption, innovation, and help to reduce risk in the global software supply chain”.

CycloneDX is a modern bill of materials standard supporting SBOM, SaaSBOM, and a wide range of other uses. With today’s launch, CycloneDX additionally adds enhanced support for hardware devices bridging gaps between traditional SBOMs and IoT, ICS, and other embedded systems.

Discover the many capabilities that CycloneDX provides at https://cyclonedx.org/capabilities/.

paidpost

Media Contact

Steve Springett *****@owasp.org 7739982050 401 Edgewater Place, Suite 600 https://owasp.org/

Source : OWASP

Categories : Computers , Open source , Security , Software , Technology
Tags : sbom , bom , saasbom , vex , cscrm , owasp , vulnerability-management , opensource , standard , cybersecurity

OWASP Foundation

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of software. Our mission is to make application security "visible,"​ so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
steve.springett@owasp.org
Delaware, Wilmington
19801
https://owasp.org/
Report Spam