OWASP looks to future-proof SBOMs with CycloneDX 1.6

cyclonedx1.6-software-supply-chain-security-sbomThe OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that includes a cryptographic bill of materials (CBOM), a machine-readable approach to managing SBOMs with CycloneDX Attestations (CDXAs), and data to assess the environmental impact of AI development.

The OWASP Foundation explained in a statement that CycloneDX v1.6 builds upon the strengths of the CycloneDX standard, which provides a machine-readable format for bills of materials for software, hardware (HBOMs), services (SaaSBOMs), and AI/ML models (AI/ML-BOMs).

Sarah Jones, a cyberthreat intelligence research analyst at Critical Start, said that CycloneDX v1.6 introduces two key features that boost software supply chain security: attestation and quantum-security protection. Attestation that is ML-friendly is essential today, she said.

“CycloneDX Attestations tackle the challenge of complex compliance demonstrations by providing a machine-readable format for security standards and evidence. This streamlines communication and automates reporting, leading to faster detection and remediation of security vulnerabilities.”
Sarah Jones

And with an eye on the future, the foundation also added quantum-security protection. “The cryptographic bill of materials helps organizations manage their cryptographic assets, allowing them to identify weaknesses and plan for a future where quantum computers can break current encryption methods,” Jones said. 

Here’s a full rundown on the updates to the CycloneDX 1.6 standard for SBOMs — and what they mean for securing your software supply chain.

[ Related: Make SBOMs actionable to better manage risk | Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]

‘Compliance as code’ takes a step forward with CDXA

CDXAs are designed to allow organizations to communicate standards, claims, and evidence in support of requirements, along with attestations to the veracity and completeness of those claims. “Modern software is tremendously complex, and ensuring compliance with the dizzying array of standards is overwhelming,” Contrast Security CTO and OWASP Foundation global chair Jeff Williams said in a statement.

“CycloneDX Attestations make ‘compliance as code’ possible with machine-readable security standards and compliance documentation, instead of endless PDFs, spreadsheets, and paper evidence. With CDXA, you can automate production of compliance evidence, streamline communication between all compliance stakeholders, facilitate discussions about substantive security issues, handle exceptions, and manage signatures.”
Jeff Williams

Williams said the OWASP Foundation hopes that CDXAs mark the beginning of “a new era where compliance and security are not entirely different things.”

Philip George, executive technical strategist at Merlin Cyber, stressed that CDXAs are essential for modernizing SBOM creation and maintenance because they turn a labor-intensive manual process to a scalable and repeatable automated one.

“When viewed as a single transaction between the government and a software OEM, the numerous dependencies hidden within one product alone can be overwhelming. Now, add a product library to the interaction and you will end up with an unmanageable number of components and validation elements to consider. Thus, the need for a machine-readable standard was clear.”
Philip George

The cryptographic supply chain is coming: CycloneDX is ready for it

The OWASP Foundation said CBOMs can simplify the discovery, management, and reporting of cryptographic assets, laying the groundwork for migration to quantum-safe systems and applications. They can facilitate the identification of weak cryptographic algorithms, promote cryptographic agility, and ensure compliance with evolving cryptographic policies and advisories.

IBM Quantum Safe CTO Michael Osborne, a CycloneDX project contributor, said in a statement that the introduction of CBOMs in CycloneDX 1.6 is a significant milestone for managing the cryptography supply chain.

“CBOM is the first open standard to describe an organization’s cryptographic assets inventory and their dependencies, giving organizations deeper visibility into the cryptography they use, enabling them to assess their quantum readiness, and to consider actionable steps toward becoming quantum-safe.”
Michael Osborne

Merlin Cyber’s George said the addition of CBOMs to CycloneDX rounds out the overarching intent of the White House’s Executive Order 14028, which emphasizes the need for stronger cybersecurity measures, collaboration, and information sharing to protect the nation from cyberthreats and sets a clear direction for improving cybersecurity practices across the government and private sectors.

“By standardizing how crypto-assets are characterized and leveraged throughout a given product supply chain, this presents risk managers with deeper insight into potentially vulnerable algorithms, keys, and libraries for both zero-trust and post-quantum cryptography migration purposes.”
—Philip George

AI and the environment: Transparency for your software supply chain

In addition to CBOMs and CDXAs, CycloneDX 1.6 includes environmental considerations, enhancing the standard’s support for AI/ML model cards, which provide standardized information about ML models. The OWASP Foundation explained that the incorporation of environmental data into CycloneDX v1.6 transforms AI development, offering transparency into energy usage and carbon emissions across all stages, from training to inference.

This integration enables informed decision making, it added, fostering sustainable technological practices. CycloneDX seamlessly integrates environmental considerations into AI development, promoting harmony between innovation and ecological preservation.

CycloneDX 1.6 and software supply chain security

Critical Start’s Jones said the new additions to CycloneDX give it a leg up on competing standards in the market.

“Features like CBOM and CDXA suggest a more comprehensive approach to security. The focus on future-proofing against quantum-computing threats and fostering environmentally conscious development could also be considered advantages.”
—Sarah Jones

And the update also marks a giant leap forward for software supply chain security, Jones said.

“Overall, CycloneDX v1.6 seems to be a significant leap forward in the SBOM space, addressing critical security concerns and promoting transparency in AI development. Its journey toward international standardization underscores its potential impact on the software industry.”
—Sarah Jones

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by John P. Mello Jr.. Read the original post at: