OWASP Expands SBOM Capabilities, Accelerating Innovation and Supply Chain Risk Reduction

12 January 2022

OWASP today, launched an updated version of the CycloneDX Software Bill of Materials (SBOM) standard. CycloneDX version 1.4 adds significant new cybersecurity capabilities aimed at driving innovation and increasing operational efficiency of SBOM across the software supply chain.

With this release, CycloneDX adds the ability to communicate vulnerabilities and their exploitability for software defined in a bill of materials. This capability, known as Vulnerability Exploitability Exchange (VEX), works with SBOMs, forming a comprehensive view of possible risk. Together, the combination of SBOM and VEX can significantly reduce the efforts and costs associated with vulnerability management.

VEX is an integral part of the CycloneDX standard, providing the convenience of leveraging a single format and tool chain. Automated analysis of CycloneDX SBOMs and VEX is further made possible by a formal Uniform Resource Name (URN) namespace, currently in review by IETF, which will provide deep-linking capabilities between SBOMs and VEX.

“VEX is the biggest contextual information gap for widespread and efficient SBOM transparency across the software supply chain,” said Patrick Dwyer, co-lead of the CycloneDX Core Working Group. “Today, we are introducing new capabilities for suppliers to accurately and efficiently communicate third party component vulnerability risks in the context of their assembled software, systems, and embedded devices.”

The CycloneDX standard exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA). Adopting CycloneDX allows organizations to quickly meet these minimum requirements and mature into using more sophisticated use cases over time.

“We’ve had tremendous support from the community in the development of version 1.4” says Steve Springett, co-lead and Chair of the CycloneDX Core Working Group. “The advancements made in this release provide a springboard to further adoption, innovation, and help to reduce risk in the global software supply chain”.

CycloneDX is a modern bill of materials standard supporting SBOM, SaaSBOM, and a wide range of other uses. With today’s launch, CycloneDX additionally adds enhanced support for hardware devices bridging gaps between traditional SBOMs and IoT, ICS, and other embedded systems.

Discover the many capabilities that CycloneDX provides at https://cyclonedx.org/capabilities/

About the OWASP Foundation

The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit https://owasp.org.

OWASP and the Open Web Application Security Project are trademarks of the OWASP Foundation.

CycloneDX Supporters

Apiiro
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype