CycloneDX Joins OWASP Foundation as a Flagship Project

11 June 2021

The CycloneDX project, creators of the leading Software Bill of Materials (SBOM) format, announced they will be joining OWASP Foundation as a Flagship Project. This move will provide resources to the CycloneDX project while strengthening OWASP as the leading non-profit security organization providing tools, documentation, and standards.

CycloneDX is a security-focused SBOM specification created in 2017 that can trace its origins back to issue #52 of OWASP Dependency-Track. The specification has since been through several backward-compatible revisions and has adopted a formal standardization process. As the leading SBOM standard, it’s been adopted by many commercial security vendors, open source projects, and is referenced by multiple world governments as their preferred SBOM format.

In four short years, CycloneDX adoption has exploded. It has the largest ecosystem of any SBOM format. It’s used everywhere from consumer electronic manufacturers, cloud providers, healthcare, and critical infrastructure and defense.” says Steve Springett, Chair of the CycloneDX Core Working Group. “Moving to the OWASP Foundation is a tremendous benefit for the CycloneDX community as the industry moves towards producing SBOMs as an integral part of the secure development process”.

Software supply chain risk and transparency are widely discussed topics in the security community. “As recently demonstrated by the US Government’s Executive Order on secure supply chain security and various attacks on critical infrastructure, along with our forthcoming data from the OWASP Top 10 2021 project, CycloneDX is a key part of the solution to ensuring every organization, big or small, has access to a world class Software Bill of Materials standard and tooling” says Andrew van der Stock, OWASP Top 10 co-lead and OWASP Foundation Executive Director. “We are incredibly lucky to have CycloneDX join OWASP as our newest flagship standard project. As part of OWASP’s mission to secure all applications and increase application security awareness, SBOM’s are a key part of our collective future.”

The CycloneDX Core Working Group which maintains the standard put out a call for votes on the project’s mailing list on 1 June 2021. The community unanimously voted in favor of the move. “CycloneDX has always had really strong ties with the OWASP community. Shared values of being free and open to anyone who wants to participate or contribute, as well as remaining vendor neutral. Joining the OWASP Foundation is a natural fit, and I look forward to continuing our work on the shared mission of improving the security of software.” says Patrick Dwyer, CycloneDX Core Working Group member.

About the OWASP Foundation

The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit

OWASP and the Open Web Application Security Project are trademarks of the OWASP Foundation.

About CycloneDX

CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community supported tools that create or interoperate with the standard. The project operates as an independent meritocracy whose guiding principles reinforce its risk-based approach to standards development. The project encourages community participation in the development of the standard and supporting tools. Visit for more information.

CycloneDX Supporters

Contrast Security
Ecma International
Fortress Information Security
Lockheed Martin