CycloneDX Attestations (CDXA) empower organizations with machine-readable standards that streamline communication and collaboration on compliance, industry, and security requirements. By representing complex standards in a consistent, structured format, CycloneDX eliminates the ambiguity and inefficiency of traditional paper-based documentation. OpenCRE (Common Requirements Enumeration), a framework for mapping and aligning requirements across standards, is seamlessly integrated into CDXA, enabling organizations to connect compliance requirements to real-world implementation strategies.
OpenCRE enhances CycloneDX by creating a unified approach to managing and referencing requirements, fostering a deeper understanding and alignment between stakeholders. With this integration, organizations can break down silos and improve transparency, ensuring that all parties can trace requirements to their corresponding defenses and evidence. Machine-readable standards are the foundation of automation, scalability, and clarity in today’s complex and ever-evolving security environment.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:f5224b09-170c-4e02-b7e8-98560d7acea6",
"version": 1,
"metadata": {
"timestamp": "2023-10-04T00:37:13-05:00",
"supplier": {
"name": "OWASP Foundation",
"url": [
"https://owasp.org"
]
}
},
"definitions": {
"standards": [
{
"bom-ref": "pcissc-sslc-1.1",
"name": "PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures",
"version": "1.1",
"description": "PCI Secure SLC provides a baseline of security requirements with corresponding assessment procedures and guidance to help software vendors design, develop, and maintain secure software throughout the software lifecycle.",
"owner": "PCI Security Standards Council",
"requirements": [
{
"bom-ref": "pcissc-sslc-1.1-1",
"identifier": "1",
"title": "Security Responsibilities and Resources",
"text": "The software vendor’s senior leadership team establishes formal responsibility and authority for the security of the software vendor’s products and services. The software vendor allocates resources to execute the strategy and ensure that personnel are appropriately skilled."
},
{
"bom-ref": "pcissc-sslc-1.1-1.1",
"identifier": "1.1",
"text": "Overall responsibility for the security of the software vendor’s products and services is assigned by the vendor’s senior leadership team.",
"parent": "pcissc-sslc-1.1-1",
"descriptions": [
"The formal assignment of responsibility by the software vendor’s senior leadership team ensures strategic-level visibility into and influence over the vendor’s software security practices. Senior leadership typically represents those individuals or teams with the responsibility and authority to make strategic business decisions for the software vendor organization. In many cases, senior leadership teams are comprised of members of the executive team such as the chief executive officer (CEO), chief financial officer (CFO), chief technology officer (CTO), chief information officer (CIO), chief risk officer (CRO), or similar roles, but that is not the case in all organizations. The distinct structure of the senior leadership team is ultimately determined by the software vendor.\n\nAssignment of overall responsibility for the vendor’s software security program should include the authority to enforce and execute the organization’s software security strategy. Without appropriate authority, those responsible for the security of the software vendor’s products and services cannot be reasonably held accountable for ensuring the organization’s security strategy is followed. Those responsible for the vendor’s software security should provide periodic updates on the state of the vendor’s software security program and the performance of its strategy to senior leadership. This allows senior leadership to ensure the strategy is being properly prioritized and resourced, and that changes required as a result of its performance are approved in a timely manner.\n\nEvidence to support this control objective might include job descriptions, organization charts, presentations, audio recordings, senior leadership meeting minutes, reports, e-mails, formal communications from senior leadership to the rest of the organization, or any other records that clearly reflect the formal assignment of responsibility and authority, and communications between senior leadership and those responsible for the vendor’s software security program regarding program performance."
]
},
{
"bom-ref": "pcissc-sslc-1.1-1.1.1",
"identifier": "1.1.1",
"text": "Accountability for ensuring the security of the software vendor’s products and services is formally assigned to an individual or team by the software vendor’s senior leadership.",
"parent": "pcissc-sslc-1.1-1.1"
},
{
"bom-ref": "pcissc-sslc-1.1-1.1.2",
"identifier": "1.1.2",
"text": "Responsibilities include keeping senior leadership informed of security updates, issues, and other matters related to the security of the software vendor’s products and services.",
"parent": "pcissc-sslc-1.1-1.1"
},
{
"bom-ref": "pcissc-sslc-1.1-1.1.3",
"identifier": "1.1.3",
"text": "Updates are provided to senior leadership at least annually on the performance of and changes to the software vendor’s software security policy and strategy described in Objective 2.",
"parent": "pcissc-sslc-1.1-1.1"
}
]
}
]
}
}