Insights from OWASP: Future-Proofing Software Bills of Materials with CycloneDX

The OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that is geared to making SBOMs relevant far into the future.

Two key changes seek to boost software supply chain: A machine-readable standard for managing SBOMs with CycloneDX Attestations (CDXAs), and a standard for quantum-level protection.

Steve Springett, chair of CycloneDX SBOM Standard at OWASP, to discusses some of the key takeaways from the major update, including:

✓ Why the new machine-readable formatting (CDXA)  is essential given the rise of AI and ML for SBOM automation.
✓ How the new Cryptographic Bill of Materials (CBOM) delivers quantum-level security.
✓ How the update delivers on White House EO 04128, with its inclusion of software (SBOM), hardware (HBOM), services (SaaSBOM), and AI/ML models (AI/ML-BOM).
✓ Why OWASP is working with Ecma International to develop a global standard for modern SBOMs.

About Steve Springett

Steve is the Director of Product Security at ServiceNow and Chair of the CycloneDX SBOM Standard at OWASP. Steve's passionate about helping organizations identify and reduce risk from the software supply chain. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and Chairs the OWASP CycloneDX Core Working Group and Ecma International TC54. Steve serves on the Board of Directors of the OWASP Foundation where he helps drive the continued growth of the foundation and the pursuit of its mission to make secure software a reality through open collaboration, education, and innovation.