OWASP Foundation intends to standardize an essential supply chain standard, OWASP CycloneDX
The OWASP Foundation, the global non-profit organization dedicated to improving the security of software, is thrilled to announce its membership application in Ecma International, a leading standards development organization. The affiliation and activities aim to promote software transparency, foster innovation, and pave the way for OWASP flagship projects to become international standards, benefiting the entire software development community.
OWASP’s future participation in Ecma will ensure that software security and transparency remain at the forefront of modern development practices. Ecma, renowned for its role in establishing widely adopted standards, brings decades of expertise in shaping the future of technology.
“It is vital that we understand the risks inherent in our software supply chain and SBOMs are a critical tool towards achieving this. Standardization of SBOMs is key to making them ubiquitous and CycloneDX is the clear choice to build that standard on.” said Grant Ongers, Chair of the OWASP Foundation Global Board, “OWASP is very pleased to be collaborating with Ecma International to achieve that goal.”
OWASP CycloneDX, an open standard for software bill of materials (SBOM), plays a crucial role in enhancing the transparency of software components. This engagement will enable OWASP CycloneDX to reach a broader audience, drive industry-wide adoption, and aligns to the overall mission of delivering specifications supporting holistic software and system transparency.
“We are delighted to welcome OWASP as a member of Ecma and look forward to new activities, and I am confident with their insights and experience our initiatives will reach new heights,” said Samina Husain, Secretary General of Ecma International. “We understand that the strength of open-source software lies in collaboration and community-driven efforts and together we are committed to advancing CycloneDX specification, open-source security software and industry standards.”
A technical committee within Ecma (TC54) is being established and chartered with advancing CycloneDX and complimentary specifications that promote software and system transparency. Among the specifications also being considered by TC54 is Package URL (PURL), a decentralized identification system for open source and commercial software, and supported by CycloneDX since its inception.
“PURL standardizes software identification to make software license compliance easier and improve cybersecurity with the interoperability of SCA and SBOM tools,” said Philippe Ombredanne, CTO of nexB and core maintainer of PURL, ScanCode, and other AboutCode projects. “Developed by the open source community, PURL identifies software packages across programming languages, package managers, packaging conventions, tools, APIs, and databases, and is in active use by Fortune 500s and startups alike.”
The OWASP Foundation and members of Ecma International are committed to working together to create a safer and more secure software ecosystem, by developing and standardizing the OWASP CycloneDX format and encouraging its adoption by developers and organizations worldwide, so they can benefit from the advantages of software transparency and standardized practices.