CycloneDX is one of the most popular standards for describing the components of an application, including source code, binaries, libraries, and containers. With the latest release of the specification, version 1.5, OWASP, the manager of the project, is expanding it even further to encompass hardware, operations, manufacturing, and artificial intelligence.
While saying that the concept of the software bill of materials (SBOM) is solid, Mike Parkin, a senior technical engineer at Vulcan Cyber, noted that the real challenge for SBOMs is adoption. With Cyclone DX 1.5, adoption should be easier across industries.
"The challenge is getting more organizations to utilize software bills of material with their own projects. This release is adding versatility and scope, which makes it even better."
—Mike Parkin
Here's what your software team needs to know about Cyclone DX 1.5 — and how to start putting it to work for better software transparency.
[ Learn more about SBOMs | Get a free SBOM and software risk analysis ]
The next generation of SBOMs is upon us
With version 1.5 of CycloneDX, OWASP, or the Open Worldwide Application Security Project, is introducing an explosion of new types of SBOMs:
- SaaSBOM: Provides an inventory of services, endpoints, and data flows and classifications that power cloud-native applications
- HBOM: Supports documentation of components, devices, firmware, configurations, and many other fields that make it ideal for producers of consumer electronics, IoT devices, and embedded devices
- ML-BOM: Includes documentation of a machine-language algorithm’s model and dataset
- MBOM: Describes how a product is made and documents how it combines hardware, firmware, software, processes, and testing to create the final device distributed to the customer
- KBOM: Documents the composition of a Kubernetes cluster, creating a manifest of the components, versions, and images within it
ML deployments are in the crosshairs
Adding machine learning to its SBOM lineup shows that OWASP recognizes the latest developments in software creation, said Matt Rose, a field CISO at ReversingLabs.
"A lot of companies are integrating machine learning algorithms into their products. Showing what machine learning capabilities are present is very important. The bill of materials isn't limited to the components of the software package itself anymore, but to the capabilities the software leverages to work, which can include machine learning."
—Matt Rose
OWASP said the ML-BOM represents a developer-friendly advancement in SBOM technology. By providing insights into the machine-learning models used in software systems, the organization explained, the ML-BOM allows stakeholders to understand and verify the training and deployment methods employed. That can ensure accountability and promote ethical AI practices, it contended.
With the rapid rise of generative AI models such as ChatGPT, the stakes have never been higher for AI software deployments, Christian Hudon, a senior applied research scientist a ServiceNow, said in a statement about CycloneDX 1.5.
“CycloneDX’s new support for ML transparency couldn’t have come at a better time to help companies manage their AI deployments in a more secure and transparent fashion.”
—Christian Hudon
Nick Rago, field CTO at Salt Security, said organizations will increasingly rely on generative AI to build applications and write code, making it essential to have insight and transparency into how these AI models are trained and which datasets they're using.
"By leveraging ML-BOM, organizations can achieve this needed visibility. In turn, this visibility gives organizations greater confidence that the output of these AI-driven systems meets their security, compliance, and ethics standards."
—Nick Rago
Software transparency takes shape
The latest edition of CycloneDX also adds the ability to create SBOMs for low-code application platforms, Jeff Williams, CTO and co-founder of Contrast Security, said in a statement.
“CycloneDX is making software transparency a reality. I’m very excited about all the new capabilities in CycloneDX v1.5, particularly the ability to capture detailed evidence proving the SBOM is correct, such as methods, techniques, and call stacks."
—Jeff Williams
Williams said that SBOMs aren’t just lists of ingredients anymore. "CycloneDX supports services, machine learning, low code, vulnerability disclosure, formulation, and annotations to really capture what’s important about the software you depend on."
With version 1.5, OWASP has expanded CycloneDX's ability to identify vulnerabilities by adding fields that describe risk assessments, threat models, and outputs from security. In fact, the new release doubles the number of external references supported in all SBOMs and significantly increases the types of components it supports, allowing for a greater degree of documentation and linking than in the past.
New fields have also been added related to software asset management (SAM) and the software development lifecycle (SDLC). Those fields provide context about how the SBOM was generated, the accuracy of the data contained within it, and the nature of an organization’s dependencies on third-party software components.
Kayla Heard-Rising, a user experience researcher at Zonar Systems, wrote in the OWASP blog about how CycloneDX 1.5 increases trust and transparency in more industries.
"Data in these fields can be used to increase stakeholder confidence in the product security communicated by the SBOM."
—Kayla Heard-Rising
The new outline for SBOM quality
The SDLC fields can communicate the quality of an SBOM by identifying when it was generated in the product lifecycle. The lifecycle and evidence fields can also indicate the trustworthiness of the SBOM by providing data about five dimensions of quality recommended by OWASP:
- Breadth: Describes the types of data in an SBOM
- Depth: Notes the amount of detail or difficulty needed to represent data in the SBOM
- Lifecycles: Reveals the number of lifecycles or the favorability of specific lifecycles in the creation of an SBOM
- Techniques: Exposes the approaches used to identify component identity
- Confidence: Discloses the level of certainty that can be placed in the information contained in the SBOM
Three new capabilities have also been added to Cyclone DX that can be critical time-savers to investigating the real-world risk and impact of vulnerabilities within a project.
- Identity evidence can be used to prove the identity of a component and its source.
- Occurrences show where individual instances of a component are located in a project's source code for a project and aggregates those instances into a single component.
- Call stack is similar to a stack trace. It identifies if a vulnerable component was called by the application and shows where it was invoked in a nested function call, indicating the reachability of the vulnerable component and what data or functionality may have been impacted.
Vulnerability proof of concepts get real
Another interesting twist in the latest edition of CycloneDX is the addition of proof-of-concept data on vulnerabilities. With it, software teams can document and demonstrate how a vulnerability could theoretically be exploited. That may include proof of the exploit happening, payloads to trigger the exploit, code for remediation, and additional details on remediation plans, Heard-Rising wrote in the OWASP blog.
"CycloneDX documentation of vulnerability proof of concepts saves time on explanation, investigation, and execution when it is time for a vulnerability to be patched, and can serve as documentation of when and why the vulnerability will be patched. This is commonly used for responsible disclosure, which is a transparency and trust measure to make stakeholders aware of existing vulnerabilities when adopting a product."
—Kayla Heard-Rising
Commercial and open-source software management added to the specifications
OWASP has also added commercial license support to its SBOM spec. It enables users to document the license, licensee, licensor, license number, license type, purchase order, renewal date, and expiration date for any dependent component in their project. OWASP said the addition of commercial licensing support means CycloneDX now supports open-source licenses for OpenChain conformance and commercial license support for enterprise software asset management use cases.
"With a CycloneDX SBOM, users have one central place to see all the licenses they use, where licenses may be missing, and when to renew or replace licenses to keep their product distribution up and running."
—Kayla Heard-Rising
Jerod Heck, software factory deputy chief architect at Lockheed Martin, said that as a participant in the CycloneDX Industry Working Group, his team contributed to the CycloneDX 1.5 schema to strengthen tracking of commercial license information.
"The updated version enables Lockheed Martin to deliver software bills of material to customers more efficiently through an existing ecosystem of tooling.”
—Jerod Heck
SBOMs are maturing, but are they all that?
This latest version of CycloneDX shows how the SBOM domain is maturing. "That's a good thing," Rose said.
"I think the foundational BOM will continue to be the regular software bill of materials in CycloneDX format. These other BOMs are interesting, but only time will tell if they're accepted and used on a consistent basis."
—Matt Rose
Not everyone agrees that expansion of SBOMs is the best path forward.
Chris Romeo, managing general partner at Kerr Ventures, a cybersecurity startup investment and advisory firm, said he gets that an "SBOM in all its various forms provides transparency into the things that people are building, whether that is an LLM, a SaaS product, hardware, a product, or some software/firmware." But SBOMs are still a tool, and tools are meant to fix something, he said.
"Where I continue to be stuck is that SBOMs don’t actually fix anything. They provide as good a set of information as we’ve ever had about the things that we build, but they don’t improve security or privacy."
—Chris Romeo
Romeo said that actions are needed to improve security and privacy, "and with all the focus on SBOMs as the answer to security, we’re missing out on the focus on remediation steps to fix the things that all these new standards create."
"I’m in favor of transparency and improving security, but too much focus is being put on SBOMs as the answer versus the true assurance-generating steps that will improve the security and privacy of the things the SBOMs describe."
—Chris Romeo
