OWASP Expands SBOM Capabilities, Accelerating Innovation and Supply Chain Risk Reduction
OWASP CycloneDX v1.4 Now Available
Wakefield, Massachusetts Jan 12, 2022 (Issuewire.com) – OWASP today, launched an updated version of the CycloneDX Software Bill of Materials (SBOM) standard. CycloneDX version 1.4 adds significant new cybersecurity capabilities aimed at driving innovation and increasing the operational efficiency of SBOM across the software supply chain.
With this release, CycloneDX adds the ability to communicate vulnerabilities and their exploitability for software-defined in a bill of materials. This capability, known as Vulnerability Exploitability Exchange (VEX), works with SBOMs, forming a comprehensive view of possible risk. Together, the combination of SBOM and VEX can significantly reduce the efforts and costs associated with vulnerability management.
VEX is an integral part of the CycloneDX standard, providing the convenience of leveraging a single format and toolchain. Automated analysis of CycloneDX SBOMs and VEX is further made possible by a formal Uniform Resource Name (URN) namespace, currently in review by IETF, which will provide deep-linking capabilities between SBOMs and VEX.
“VEX is the biggest contextual information gap for widespread and efficient SBOM transparency across the software supply chain,” said Patrick Dwyer, co-lead of the CycloneDX Core Working Group. “Today, we are introducing new capabilities for suppliers to accurately and efficiently communicate third party component vulnerability risks in the context of their assembled software, systems, and embedded devices.”
The CycloneDX standard exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA). Adopting CycloneDX allows organizations to quickly meet these minimum requirements and mature into using more sophisticated use cases over time.
“We’ve had tremendous support from the community in the development of version 1.4,” says Steve Springett, co-lead and Chair of the CycloneDX Core Working Group. “The advancements made in this release provide a springboard to further adoption, innovation, and help to reduce risk in the global software supply chain”.
CycloneDX is a modern bill of materials standard supporting SBOM, SaaSBOM, and a wide range of other uses. With today’s launch, CycloneDX additionally adds enhanced support for hardware devices bridging gaps between traditional SBOMs and IoT, ICS, and other embedded systems.
Discover the many capabilities that CycloneDX provides at https://cyclonedx.org/capabilities/.
401 Edgewater Place, Suite 600
This article was originally published by IssueWire. Read the original article here.