OWASP Foundation Joins Ecma International to Drive Software Transparency and Standardization of OWASP CycloneDX

12 October 2023

The OWASP Foundation, the global non-profit organization dedicated to improving the security of software, is thrilled to announce its membership in Ecma International, a leading standards development organization. The affiliation and activities aim to promote software transparency, foster innovation, and pave the way for OWASP flagship projects to become international standards, benefiting the entire software development community.

By joining Ecma, the OWASP Foundation is taking a significant step towards ensuring that software security and transparency remain at the forefront of modern development practices. Ecma, renowned for its role in establishing widely adopted standards, brings decades of expertise in shaping the future of technology.

“It is vital that we understand the risks inherent in our software supply chain and SBOMs are a critical tool towards achieving this. Standardization of SBOMs is key to making them ubiquitous and CycloneDX is the clear choice to build that standard on.” said Grant Ongers, Chair of the OWASP Foundation Global Board, “OWASP is very pleased to be collaborating with Ecma International to achieve that goal.”

OWASP CycloneDX, an open standard for software bill of materials (SBOM), plays a crucial role in enhancing the transparency of software components. This engagement will enable OWASP CycloneDX to reach a broader audience, drive industry-wide adoption, and aligns to the overall mission of delivering specifications supporting holistic software and system transparency.

“We are delighted to welcome OWASP as a member of Ecma and look forward to new activities, and I am confident with their insights and experience our initiatives will reach new heights,” said Samina Husain, Secretary General of Ecma International. “We understand that the strength of open-source software lies in collaboration and community-driven efforts and together we are committed to advancing CycloneDX specification, open-source security software and industry standards.”

A technical committee within Ecma (TC54) is being established and chartered with advancing CycloneDX and complimentary specifications that promote software and system transparency. Among the specifications also being considered by TC54 is Package URL (PURL), a decentralized identification system for open source and commercial software, and supported by CycloneDX since its inception.

“PURL standardizes software identification to make software license compliance easier and improve cybersecurity with the interoperability of SCA and SBOM tools,” said Philippe Ombredanne, CTO of nexB and core maintainer of PURL, ScanCode, and other AboutCode projects. “Developed by the open source community, PURL identifies software packages across programming languages, package managers, packaging conventions, tools, APIs, and databases, and is in active use by Fortune 500s and startups alike.”

The OWASP Foundation and members of Ecma International are committed to working together to create a safer and more secure software ecosystem, by developing and standardizing the OWASP CycloneDX format and encouraging its adoption by developers and organizations worldwide, so they can benefit from the advantages of software transparency and standardized practices.

About the OWASP Foundation

The Open Worldwide Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit https://owasp.org.

About Ecma International

Ecma International is a not-for-profit industry association of technology developers, vendors, and users founded in 1961 and dedicated to the standardization of Information and Communication Technology (ICT) and Consumer Electronics (CE). For over 60 years Ecma has actively contributed to worldwide standardization in information technology and telecommunications. More than 400 Ecma Standards and 100 Technical Reports of high quality have been published, more than two-thirds of which have also been adopted as International Standards and/or Technical Reports.

CycloneDX Supporters

Contrast Security
Ecma International
Fortress Information Security
Lockheed Martin