The OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that includes a cryptographic bill of materials (CBOM), a machine-readable approach to managing SBOMs with CycloneDX Attestations (CDXAs), and data to assess the environmental impact of AI development.
The OWASP Foundation explained in a statement that CycloneDX v1.6 builds upon the strengths of the CycloneDX standard, which provides a machine-readable format for bills of materials for software, hardware (HBOMs), services (SaaSBOMs), and AI/ML models (AI/ML-BOMs).
Sarah Jones, a cyberthreat intelligence research analyst at Critical Start, said that CycloneDX v1.6 introduces two key features that boost software supply chain security: attestation and quantum-security protection. Attestation that is ML-friendly is essential today, she said.
"CycloneDX Attestations tackle the challenge of complex compliance demonstrations by providing a machine-readable format for security standards and evidence. This streamlines communication and automates reporting, leading to faster detection and remediation of security vulnerabilities."
—Sarah Jones
And with an eye on the future, the foundation also added quantum-security protection. "The cryptographic bill of materials helps organizations manage their cryptographic assets, allowing them to identify weaknesses and plan for a future where quantum computers can break current encryption methods," Jones said.
Here's a full rundown on the updates to the CycloneDX 1.6 standard for SBOMs — and what they mean for securing your software supply chain.
[ Related: Make SBOMs actionable to better manage risk | Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]
'Compliance as code' takes a step forward with CDXA
CDXAs are designed to allow organizations to communicate standards, claims, and evidence in support of requirements, along with attestations to the veracity and completeness of those claims. “Modern software is tremendously complex, and ensuring compliance with the dizzying array of standards is overwhelming,” Contrast Security CTO and OWASP Foundation global chair Jeff Williams said in a statement.
“CycloneDX Attestations make 'compliance as code' possible with machine-readable security standards and compliance documentation, instead of endless PDFs, spreadsheets, and paper evidence. With CDXA, you can automate production of compliance evidence, streamline communication between all compliance stakeholders, facilitate discussions about substantive security issues, handle exceptions, and manage signatures."
—Jeff Williams
Williams said the OWASP Foundation hopes that CDXAs mark the beginning of "a new era where compliance and security are not entirely different things."
Philip George, executive technical strategist at Merlin Cyber, stressed that CDXAs are essential for modernizing SBOM creation and maintenance because they turn a labor-intensive manual process to a scalable and repeatable automated one.
"When viewed as a single transaction between the government and a software OEM, the numerous dependencies hidden within one product alone can be overwhelming. Now, add a product library to the interaction and you will end up with an unmanageable number of components and validation elements to consider. Thus, the need for a machine-readable standard was clear."
—Philip George
The cryptographic supply chain is coming: CycloneDX is ready for it
The OWASP Foundation said CBOMs can simplify the discovery, management, and reporting of cryptographic assets, laying the groundwork for migration to quantum-safe systems and applications. They can facilitate the identification of weak cryptographic algorithms, promote cryptographic agility, and ensure compliance with evolving cryptographic policies and advisories.
IBM Quantum Safe CTO Michael Osborne, a CycloneDX project contributor, said in a statement that the introduction of CBOMs in CycloneDX 1.6 is a significant milestone for managing the cryptography supply chain.
“CBOM is the first open standard to describe an organization’s cryptographic assets inventory and their dependencies, giving organizations deeper visibility into the cryptography they use, enabling them to assess their quantum readiness, and to consider actionable steps toward becoming quantum-safe.”
—Michael Osborne
Merlin Cyber's George said the addition of CBOMs to CycloneDX rounds out the overarching intent of the White House's Executive Order 14028, which emphasizes the need for stronger cybersecurity measures, collaboration, and information sharing to protect the nation from cyberthreats and sets a clear direction for improving cybersecurity practices across the government and private sectors.
"By standardizing how crypto-assets are characterized and leveraged throughout a given product supply chain, this presents risk managers with deeper insight into potentially vulnerable algorithms, keys, and libraries for both zero-trust and post-quantum cryptography migration purposes."
—Philip George
AI and the environment: Transparency for your software supply chain
In addition to CBOMs and CDXAs, CycloneDX 1.6 includes environmental considerations, enhancing the standard's support for AI/ML model cards, which provide standardized information about ML models. The OWASP Foundation explained that the incorporation of environmental data into CycloneDX v1.6 transforms AI development, offering transparency into energy usage and carbon emissions across all stages, from training to inference.
This integration enables informed decision making, it added, fostering sustainable technological practices. CycloneDX seamlessly integrates environmental considerations into AI development, promoting harmony between innovation and ecological preservation.
CycloneDX 1.6 and software supply chain security
Critical Start's Jones said the new additions to CycloneDX give it a leg up on competing standards in the market.
"Features like CBOM and CDXA suggest a more comprehensive approach to security. The focus on future-proofing against quantum-computing threats and fostering environmentally conscious development could also be considered advantages."
—Sarah JonesAnd the update also marks a giant leap forward for software supply chain security, Jones said.
"Overall, CycloneDX v1.6 seems to be a significant leap forward in the SBOM space, addressing critical security concerns and promoting transparency in AI development. Its journey toward international standardization underscores its potential impact on the software industry."
—Sarah Jones
Jasmine Noel, software supply chain security evangelist for ReversingLabs, said organizations require more transparency to make tangible steps towards proactively preventing deployment of compromised commercial software and updates.
"Shareable SBOM data in a CycloneDX’s standardized, machine-readable format, coupled with detection of a broad spectrum of software supply chain threats (such as malware, tampering, or exposed secrets), enables enterprises to make informed risk-based release or deployment decisions."
—Jasmine Noel
Noel added that the ReversingLabs research team recently showed how the need to verify that commercial or publicly shared machine-learning (ML) models are safe to use will grow as enterprises consider deploying them into production environments.
"Standardized data formats enable model producers to share information about model parameters, training datasets, software components being executed or steps taken to harden AI and ML models against adversarial samples with potential customers."
—Jasmine Noel
