Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialCycloneDX is one of the most popular standards for describing the components of an application, including source code, binaries, libraries, and containers. With the latest release of the specification, version 1.5, OWASP, the manager of the project, is expanding it even further to encompass hardware, operations, manufacturing, and artificial intelligence.
While saying that the concept of the software bill of materials (SBOM) is solid, Mike Parkin, a senior technical engineer at Vulcan Cyber, noted that the real challenge for SBOMs is adoption. With Cyclone DX 1.5, adoption should be easier across industries.
Mike ParkinThe challenge is getting more organizations to utilize software bills of material with their own projects. This release is adding versatility and scope, which makes it even better.
Here's what your software team needs to know about Cyclone DX 1.5 — and how to start putting it to work for better software transparency.
Learn more about SBOMs Get a free SBOM and software risk analysis
With version 1.5 of CycloneDX, OWASP, or the Open Worldwide Application Security Project, is introducing an explosion of new types of SBOMs:
Adding machine learning to its SBOM lineup shows that OWASP recognizes the latest developments in software creation, said Matt Rose, a field CISO at ReversingLabs.
Matt RoseA lot of companies are integrating machine learning algorithms into their products. Showing what machine learning capabilities are present is very important. The bill of materials isn't limited to the components of the software package itself anymore, but to the capabilities the software leverages to work, which can include machine learning.
OWASP said the ML-BOM represents a developer-friendly advancement in SBOM technology. By providing insights into the machine-learning models used in software systems, the organization explained, the ML-BOM allows stakeholders to understand and verify the training and deployment methods employed. That can ensure accountability and promote ethical AI practices, it contended.
With the rapid rise of generative AI models such as ChatGPT, the stakes have never been higher for AI software deployments, Christian Hudon, a senior applied research scientist a ServiceNow, said in a statement about CycloneDX 1.5.
Christian HudonCycloneDX’s new support for ML transparency couldn’t have come at a better time to help companies manage their AI deployments in a more secure and transparent fashion.
Nick Rago, field CTO at Salt Security, said organizations will increasingly rely on generative AI to build applications and write code, making it essential to have insight and transparency into how these AI models are trained and which datasets they're using.
Nick RagoBy leveraging ML-BOM, organizations can achieve this needed visibility. In turn, this visibility gives organizations greater confidence that the output of these AI-driven systems meets their security, compliance, and ethics standards.
The latest edition of CycloneDX also adds the ability to create SBOMs for low-code application platforms, Jeff Williams, CTO and co-founder of Contrast Security, said in a statement.
Jeff WilliamsCycloneDX is making software transparency a reality. I’m very excited about all the new capabilities in CycloneDX v1.5, particularly the ability to capture detailed evidence proving the SBOM is correct, such as methods, techniques, and call stacks.
Williams said that SBOMs aren’t just lists of ingredients anymore. "CycloneDX supports services, machine learning, low code, vulnerability disclosure, formulation, and annotations to really capture what’s important about the software you depend on."
With version 1.5, OWASP has expanded CycloneDX's ability to identify vulnerabilities by adding fields that describe risk assessments, threat models, and outputs from security. In fact, the new release doubles the number of external references supported in all SBOMs and significantly increases the types of components it supports, allowing for a greater degree of documentation and linking than in the past.
New fields have also been added related to software asset management (SAM) and the software development lifecycle (SDLC). Those fields provide context about how the SBOM was generated, the accuracy of the data contained within it, and the nature of an organization’s dependencies on third-party software components.
Kayla Heard-Rising, a user experience researcher at Zonar Systems, wrote in the OWASP blog about how CycloneDX 1.5 increases trust and transparency in more industries.
Kayla Heard-RisingData in these fields can be used to increase stakeholder confidence in the product security communicated by the SBOM.
The SDLC fields can communicate the quality of an SBOM by identifying when it was generated in the product lifecycle. The lifecycle and evidence fields can also indicate the trustworthiness of the SBOM by providing data about five dimensions of quality recommended by OWASP:
Three new capabilities have also been added to Cyclone DX that can be critical time-savers to investigating the real-world risk and impact of vulnerabilities within a project.
Another interesting twist in the latest edition of CycloneDX is the addition of proof-of-concept data on vulnerabilities. With it, software teams can document and demonstrate how a vulnerability could theoretically be exploited. That may include proof of the exploit happening, payloads to trigger the exploit, code for remediation, and additional details on remediation plans, Heard-Rising wrote in the OWASP blog.
Kayla Heard-RisingCycloneDX documentation of vulnerability proof of concepts saves time on explanation, investigation, and execution when it is time for a vulnerability to be patched, and can serve as documentation of when and why the vulnerability will be patched. This is commonly used for responsible disclosure, which is a transparency and trust measure to make stakeholders aware of existing vulnerabilities when adopting a product.
OWASP has also added commercial license support to its SBOM spec. It enables users to document the license, licensee, licensor, license number, license type, purchase order, renewal date, and expiration date for any dependent component in their project. OWASP said the addition of commercial licensing support means CycloneDX now supports open-source licenses for OpenChain conformance and commercial license support for enterprise software asset management use cases.
Kayla Heard-RisingWith a CycloneDX SBOM, users have one central place to see all the licenses they use, where licenses may be missing, and when to renew or replace licenses to keep their product distribution up and running.
Jerod Heck, software factory deputy chief architect at Lockheed Martin, said that as a participant in the CycloneDX Industry Working Group, his team contributed to the CycloneDX 1.5 schema to strengthen tracking of commercial license information.
Jerod HeckThe updated version enables Lockheed Martin to deliver software bills of material to customers more efficiently through an existing ecosystem of tooling.
This latest version of CycloneDX shows how the SBOM domain is maturing. "That's a good thing," Rose said.
Matt RoseI think the foundational BOM will continue to be the regular software bill of materials in CycloneDX format. These other BOMs are interesting, but only time will tell if they're accepted and used on a consistent basis.
Not everyone agrees that expansion of SBOMs is the best path forward.
Chris Romeo, managing general partner at Kerr Ventures, a cybersecurity startup investment and advisory firm, said he gets that an "SBOM in all its various forms provides transparency into the things that people are building, whether that is an LLM, a SaaS product, hardware, a product, or some software/firmware." But SBOMs are still a tool, and tools are meant to fix something, he said.
Chris RomeoWhere I continue to be stuck is that SBOMs don’t actually fix anything. They provide as good a set of information as we’ve ever had about the things that we build, but they don’t improve security or privacy.
Romeo said that actions are needed to improve security and privacy, "and with all the focus on SBOMs as the answer to security, we’re missing out on the focus on remediation steps to fix the things that all these new standards create."
Chris RomeoI’m in favor of transparency and improving security, but too much focus is being put on SBOMs as the answer versus the true assurance-generating steps that will improve the security and privacy of the things the SBOMs describe.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial