OWASP looks to future-proof SBOMs with CycloneDX 1.6

OWASP is upgrading the SBOM standard for the quantum era, adding ML-readable attestation and more. Here's how it boosts software supply chain security.

John P. Mello Jr.
Blog Author

John P. Mello Jr., Freelance technology writer.

The OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that includes a cryptographic bill of materials (CBOM), a machine-readable approach to managing SBOMs with CycloneDX Attestations (CDXAs), and data to assess the environmental impact of AI development.

The OWASP Foundation explained in a statement that CycloneDX v1.6 builds upon the strengths of the CycloneDX standard, which provides a machine-readable format for bills of materials for software, hardware (HBOMs), services (SaaSBOMs), and AI/ML models (AI/ML-BOMs).

Sarah Jones, a cyberthreat intelligence research analyst at Critical Start, said that CycloneDX v1.6 introduces two key features that boost software supply chain security. Attestation that is machine learning-friendly is essential today. "CycloneDX Attestations tackle the challenge of complex compliance demonstrations by providing a machine-readable format for security standards and evidence. This streamlines communication and automates reporting, leading to faster detection and remediation of security vulnerabilities," she said.

And with an eye on the future, the foundation also added quantum-security protection. "The Cryptographic Bill of Materials helps organizations manage their cryptographic assets, allowing them to identify weaknesses and plan for a future where quantum computers can break current encryption methods," Jones said. 

Here's a full rundown on the updates to the CycloneDX 1.6 standard for software bills of materials (SBOMs) — and what they mean for securing your software supply chain.

[ Related: Make SBOMs actionable to better manage risk | Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]

'Compliance as code' takes a step forward with CDXA

CycloneDX Attestations (CDXA) is designed to allow organizations to communicate standards, claims, and evidence in support of requirements, along with attestations to the veracity and completeness of those claims. “Modern software is tremendously complex, and ensuring compliance with the dizzying array of standards is overwhelming,” Contrast Security CTO and OWASP Global Chair Jeff Williams said in a statement.

“CycloneDX Attestations makes 'compliance as code' possible with machine-readable security standards and compliance documentation, instead of endless PDFs, spreadsheets, and paper evidence. With CDXA, you can automate production of compliance evidence, streamline communication between all compliance stakeholders, facilitate discussions about substantive security issues, handle exceptions, and manage signatures."
Jeff Williams

Williams said the hope with CDXA is that it marks the beginning of "a new era where compliance and security are not entirely different things."

Merlin Cyber's George stressed that CDXA was essential for modernizing SBOM creation and maintenance by transitioning from what was a very labor-intensive manual process, to a scalable and repeatable automated process, .

"When viewed as a single transaction between the government and a software OEM, the numerous dependencies hidden within one product alone can be overwhelming. Now, add a product library to the interaction and you will end up with an unmanageable number of components and validation elements to consider. Thus, the need for a machine-readable standard was clear and as such CDXA was established."
Philip George

The cryptographic supply chain is coming: CycloneDX is ready

The OWASP Foundation said CBOMs can simplify the discovery, management, and reporting of cryptographic assets, laying the groundwork for migration to quantum-safe systems and applications. They can facilitate the identification of weak cryptographic algorithms, promote cryptographic agility, and ensure compliance with evolving cryptographic policies and advisories.

IBM Quantum Safe CTO Michael Osborne, who a project contributor, said in a statement that the introduction of CBOM in CycloneDX 1.6 is a significant milestone for managing the cryptography supply chain.

“CBOM is the first open standard to describe an organization’s cryptographic assets inventory, and their dependencies, giving organizations deeper visibility into the cryptography they use, enabling them to assess their quantum readiness, and to consider actionable steps towards becoming quantum safe.”
Michael Osborne

Philip George, executive technical strategist at Merlin Cyber, said the addition of the CBOM to CycloneDX rounds out the overarching intent of the White House's Executive Order 14028, which emphasizes the need for stronger cybersecurity measures, collaboration, and information sharing to protect the nation from cyber threats, and sets a clear direction for improving cybersecurity practices across the government and private sectors.

"By standardizing how crypto-assets are characterized and leveraged throughout a given product supply chain, this presents risk managers with deeper insight into potentially vulnerable algorithms, keys, and libraries for both zero trust and post-quantum cryptography migration purposes."
—Philip George

AI and the environment: Transparency for your software supply chain

In addition to the CBOM and CDXA, CycloneDX 1.6 includes environmental considerations, which enhance the standard's existing support for AI/ML model cards, which provide standardized information about machine learning models. The OWASP Foundation explained that the incorporation of environmental data into CycloneDX v1.6 transforms AI development, offering transparency into energy usage and carbon emissions across all stages, from training to inference.

This integration enables informed decision-making, fostering sustainable technological practices, it added. CycloneDX seamlessly integrates environmental considerations into AI development, promoting harmony between innovation and ecological preservation.

CycloneDX 1.6 and software supply chain security

Critical Start's Jones said the new additions to CycloneDX give it a leg up on competing standards in the market.

"Features like CBOM and CDXA suggest a more comprehensive approach to security. The focus on future-proofing against quantum computing threats and fostering environmentally conscious development could also be considered advantages."
Sarah Jones

And the update also marks a giant leap forward for software supply chain security, Jones said.

"Overall, CycloneDX v1.6 seems to be a significant leap forward in the SBOM space, addressing critical security concerns and promoting transparency in AI development. Its journey towards international standardization underscores its potential impact on the software industry."
—Sarah Jones