OWASP CycloneDX SBOM/xBOM Standard

We’re thrilled to announce the release of CycloneDX v1.7, bringing enhanced transparency, trust and governance to software supply chains everywhere. With this release, the community takes a big leap forward in three key areas: Cryptographic Assurance (CBOM) — v1.7 introduces a standardized list of cryptographic algorithm families and a full list of elliptic curves, giving teams the visibility needed for audits, compliance and PQC (post-quantum readiness). Data Provenance & Citations — Now you can formally trace where BOM data came from, who enriched it, and how it was transformed. This means better auditability and clearer chain of custody. Intellectual Property Transparency — For the first time, BOMs can express not only “what” components are in use, but also “which” patents and patent families apply, bridging legal, business, and technical considerations. What this means for you: - Greater insight and control over your software supply chain risks - Better alignment of BOMs with legal/regulatory requirements - A stronger foundation for the future — v1.7 sets the stage for v2.0 and the next wave of API-first transparency Alongside the release, we’re publishing three new guides: - Authoritative Guide to SBOM, 3rd Edition - Authoritative Guide to CBOM, 2nd Edition - Authoritative Guide to MBOM, 1st Edition A huge thank you to all our working groups, our contributors, and the community for making this milestone possible. Full press release here: https://lnkd.in/guvcXMSk #OWASP #SBOM #CBOM #MBOM #SoftwareSupplyChain #SoftwareTransparency #Ecma #TC54

I’m excited to announce my candidacy for re-election to the OWASP Global Board of Directors. Voting opens October 15. Over the past term, I’ve focused on strengthening OWASP’s sustainability and influence, from revenue diversification and standards collaboration to expanding our global reach and impact. Looking ahead, I remain committed to ensuring OWASP continues to evolve as a trusted, transparent, and innovative organization. As voting opens, I want to challenge our community to really get to know the candidates. Historically, OWASP elections have sometimes felt like popularity contests, and this year there are indeed many well-known names on the ballot. But I encourage everyone to read through the candidate profiles. You may discover exceptional contributors who are less visible yet have achieved remarkable things and can bring fresh perspectives and ideas to the Foundation. As Vice-Chair of the Board, I’m not in a position to publicly endorse any individual candidate, but I deeply value every person stepping forward to serve and help shape OWASP’s future. You can read more about my background and platform here: https://lnkd.in/gmtDZdUn. Thank you for your continued trust and support. Together, we can continue building a stronger, more sustainable OWASP.

FreeCAD 3D preview natively supported in our parts library As part of our newly developed PLM/ PDM, one of the most important modules is the parts library, that allows engineers to quickly build assemblies from standardized components. Using standardized components over custom ones, lower the cost of assemblies in general and improves their availability and repairability. Also, by providing a ready-to-go library of components, the time to get to the first prototype is shortened and allows for faster development cylces. What is special here, the parts library gives a live 3D preview of the native FreeCAD files attached to it. We are implementing the OWASP CycloneDX SBOM/xBOM Standard "HBOM" in the assembly module to stay on the cutting edge of development and make exporting BOMs to other systems more straightforward. As part of her open-source software development internship at ALSADO Inh. Aleksander Sadowski, Nandana G Krishnan is helping us to move this project forward and making an important contribution to open-source-software in manufacturing. Let's bring back manufacturing in the European Union, especially Germany!

Open source maintainer Jan Kowalleck first got involved with OWASP CycloneDX SBOM/xBOM Standard by fixing a single bug. That small step sparked a journey that would see him become project co-lead, mentor new contributors, and help shape an international standard for software transparency. We’re thrilled to share another interview in our in-depth series featuring the inaugural cohort of the #SovereignTechFellowship. In this conversation, Jan talks about balancing maintenance and community building, why Software Bill of Materials (SBOMs) are critical to software security, and what it takes to guide a fast-growing open source project. ➡️ https://lnkd.in/eb49dW3P #MaintainerSpotlight

We're postponing this month's community meeting by a week. The new date is thus Wednesday, September 10th. The time slot remains at the usual 4PM UTC. If you haven't already, this is a great opportunity to rewatch last month's meeting, with the fantastic presentation by Florian Schmidt about "Integrating OpenSSF Scorecard and Other Health Metadata": https://lnkd.in/dGskvpzq

SecObserve (https://lnkd.in/gkw97Wu9) has now even better support for CycloneDX and can import and export CycloneDX VEX (Vulnerability Exploitability eXchange) documents with the new release 1.37.0. Thanks a lot to Lukas Krug for starting the initiative and your crucial parts of the implementation.    SecObserve is an open source vulnerability and license management system for software development teams and cloud environments. It supports a variety of open source vulnerability scanners and can be easily integrated into CI/CD pipelines. It gathers results about security flaws from various vulnerability scanning tools and provides transparency on the resulting attack vectors.      #CycloneDX #MaibornWolff #cybersecurity #devsecops 

In this #CRAMondays session, we’ll hear directly from leaders shaping software transparency standards: 🎙 Steve Springett | Olle E Johansson | Philippe Ombredanne Find out how Ecma and OWASP are creating practical solutions for secure, transparent supply chains. 🗓 Join us: https://hubs.la/Q03CKq2t0

"AI Asset inventory is a dumpster fire right now." 👆 a security leader comment. Here how I cope: 1. Check the "source of truth" (usually there is >1) This includes things like: -> Configuration Management Databases (CMDBs) -> Contract management systems -> Automated scanning tools -> ISO 27001 asset lists -> IT spreadsheets 2. Enrich the data from other sources like: -> Product requirement documents -> Marketing blog posts (!) -> SOC 2 attestations -> PowerPoint decks -> Jira The difference between what you get from steps 1 and 2 is often quite large. 3. Interview key personnel This is where the "magic" happens: -> Executives discuss projects no one else knows about -> Data scientists talk about their personal model repo -> Sales teams reveal their go-to shadow AI tools Now we have something much closer to ground truth. And can consolidate it all in the same OWASP CycloneDX SBOM/xBOM Standard-compliant format. This gives StackAware a starting point to do: -> Model -> System -> Impact -> Risk assessments for our clients. And minimizes the risk of missing something. How do you approach asset inventory?