#SPDX 3.0 now supports #SBOMs for #AI applications - Kate Stewart, Vice President of Dependable Embedded Systems at The Linux Foundation shares all the details in this TFiR video. Watch it here: https://hubs.la/Q02wLrrv0 SPDX SBOM The Zephyr Project ELISA Project #opensource #SBOM
SPDX SBOM
Data Security Software Products
San Francisco, California 676 followers
Open standard for communicating software bill of material information (SBOMs)
About us
The Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance. The SPDX specification is an international open standard (ISO/IEC 5962:2021). The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information. SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by three sub-groups: the tech team, the legal team, and the outreach team. There is also a monthly general call which provides an overview of progress on the entire project. The SPDX project is composed of: - The SPDX Specification itself - The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax) - SPDX tools and libraries for working with the SPDX documents and SPDX License List
- Website
-
https://spdx.dev/
External link for SPDX SBOM
- Industry
- Data Security Software Products
- Company size
- 51-200 employees
- Headquarters
- San Francisco, California
- Founded
- 2010
Updates
-
The SPDX community, in collaboration with the Linux Foundation, is thrilled to announce the release of SPDX 3.0. This milestone marks a significant advancement in the world's most widely used Software Bill of Materials (SBOM) communication format. SPDX 3.0 introduces a comprehensive set of updates, encompassing the model, specification, and license list, with the new addition of SPDX profiles to handle modern system use cases. Read the announcement: https://hubs.la/Q02s_TH10 #spdx #opensource #sbom
-
-
In the ever-evolving landscape of software development, SPDX 3.0 emerges as a transformative solution, ushering in a new era of enhanced security and streamlined vulnerability tracking. #SPDX3 #SoftwareSupplyChain #SBOM #SecurityUpdates #VulnerabilityData #CVSS #EPSS #KEV #SSVC #VEX #SecurityStandards #SPDXProfile #DynamicVulnerabilityData #MetadataGroupings #SoftwareSecurity #SBOMUtility #CVEtracking #OpenSourceSecurity
Capturing Software Vulnerability Data in SPDX 3.0
https://spdx.dev
-
Join us on Oct 25, 2023, at 12:00 pm EDT for a presentation by Gary O'Neall on the importance of Software Bills of Materials (SBOMs) in managing software license compliance and security vulnerabilities. The talk will cover the standardization of SBOM formats, particularly the SPDX format, and upcoming features in SPDX 3.0 for tracking various data. This presentation will focus on using SPDX for security and license compliance and understanding its use in software production and evaluation. Don't miss the chance to learn from an expert in the field! Register now at the following link: https://lnkd.in/e5QbrrV9
SBOMs and SPDX: Now and in the Future
brighttalk.com
-
SPDX 3.0 introduces profiles to organize data for specific use cases, such as license compliance and supply chain security. Profiles have conformance points, workgroups, and namespaces. Conformance points define requirements for valid data, workgroups organize community efforts, and namespaces help filter relevant data. Profiles align with various types of Bills of Materials (BOMs) and reduce duplicate data for different BOM types.
Understanding SPDX Profiles
https://spdx.dev
-
We will be streaming live our chat with Microsoft's Adrian Diglio in a few minutes. Join here at the top of the hour https://hubs.la/Q020y69M0 Adrian succesfully made Microsoft an SPDX powerhouse https://hubs.la/Q020y69L0
Microsoft ❤️ SPDX
https://devblogs.microsoft.com/engineering-at-microsoft
-
SPDX SBOM reposted this
#SoftwareBillofMaterials #CiscoSBOM #Cisco軟體安全透明度 #CiscoCDR 2021/5美國政府發佈一項關於改善國家關鍵基礎設施的行政命令 (EO 14028)。目的在於改善關鍵基礎設施網路安全及影響世界的網路安全。這些措施有二個共同主題 - 擴大公私組織的伙伴關係及提高安全透明度和資訊共享的需要。 U.S行政命令14028及安全透明度(Transparency and Executive Order 14028) 由於缺乏軟體透明度,對科技及技術使用度的信任正在受到損害。近年來網路安全攻擊凸顯了軟體供應鏈的複雜性,及對軟體使用時可接受風險的可視性。因為需要更多的資訊安全透明度。Software Bill of Materials (SBOM) 是描述軟體安全及組件的可讀式資料列表,可幫助了解軟體安全的透明度。 第 14028 號行政命令訂定針對 Software Bill of Materials (SBOM) 的明確指令和措施。National Telecommunications Information Administration’s (NTIA) 關於 SBOM 要素和注意事項在RFC on SBOM Elements and Considerations中有詳細的概述及狀態。 現今為使軟體安全有更大的透明度,向政府機構和企業交付 SBOM 需要考慮以下方向: - 技術供應商和客戶就 SBOM 要求中應揭露多少資訊及內容達成一致,並將這些要求記載於雙方的合約中。 - 以機器判讀的SBOM production, sharing and consumption,根據國際行業標準。 - 技術供應商在整個軟體開發生命週期和完整軟體價值鏈中,應以自動化工具實現軟體安全的透明度。 - 技術供應商和客戶應有共同認知並採用標準和技術以確保 SBOM 的使用。 國際行業Software Bill of Materials (SBOM)的現況 - 機器判讀方式 SBOM 的資料格式 - SPDX 版本 2.2 已被 ISO 體系認可為國際標準ISO/IEC 5962:2021,CycloneDX已被 OWASP 採用 - IETF 組織起草 – 挖掘和檢索軟體透明度和漏洞資訊標準(Discovering and Retrieving Software Transparency and Vulnerability Information) - 美國 National Telecommunications Information Administration’s (NTIA) 多利益方相關團體發布大量工作,以提高 SBOM 的認識和採用。 Cisco宣佈在軟體行業推出一項全新功能:發佈符合 SPDX 格式的Software Bill of Materials (SBOM)。思科SBOM 是提供可見性並提高整個軟體安全及上下供應鏈彈性的關鍵一步 - 思科對軟體安全透明度的承諾文件(https://lnkd.in/gpp8hagA) 以標準化、機器判讀格式向公共部門或客戶提供的。考慮到整個軟體行業共同的複雜性,在我們邁向降低風險的軟體安全透明度的過程中,這是一個思科軟體安全的重要時刻。 Software Bill of Materials (SBOM) 的想法看似簡單,是一種機器可判讀的資料格式,用於開發者描述軟體工件組成的原始資料。SBOM 記錄了可下載軟體內容中所包含的第三方軟體組件。思科客戶可以通過多種方式下載和使用軟體,包括在最終使用者設備上運行的客戶端應用程式(例如:Cisco Secure Client with AnyConnect)、及硬體設備及思科設備操作系統上運行的應用程式(例如:Identity Services Engine - ISE)、客戶資料中心或公共雲環境中運行的虛擬化應用程式(例如Intersight)及路由器、交換機和防火牆等所提供的技術操作維運系統(例如IOS XE、 IOS XR、Nexus OS、FTD)。 Software Bill of Materials (SBOM) 的新穎之處在於標準化了在軟體組件上原始資料的記錄方式;跨組織的共享 SBOM 使客戶能夠了解軟體供應商的上游依賴關係。向客戶和合作夥伴發佈 SBOM 強調了思科對軟體透明度的承諾,這既提高了軟體供應鏈的彈性,又降低了軟體安全的風險。 記錄 Software Bill of Materials (SBOM) 是整個軟體行業共同面臨的複雜問題,因此在國際趨勢、軟體安全及對客戶使用安全軟體的承諾,我們一���當先的公佈相關的SBOM。並希望在軟體安全上,擔負承先啟後的技術責任;對於未來各公私組織有意採行Software Bill of Materials (SBOM) 給予以下幫助及建言: 1 堅實的軟體安全開發基礎:十多年來工具和流程的內部生態系統一直在管理思科的第三方軟體。在思科,SBOM 要求是思科安全開發生命週期政策(Cisco Secure Development Lifecycle) 的一部分。首先定義第三方軟體風險管理和合規性的內部策略。 2 軟體開發標準化方法:思科支持 SBOM 相關標準的開發,包括SPDX, CSAF和OmniBOR。我們改進支持這些外部標準的內部工具,並制定內部標準以確保我們發佈 SBOM 的品質和一致性。首先定義將在整個組織中使用的流程;在思科我們將此稱為 SBOM 工作流程。 3 軟體集中管理及服務:思科軟體的新投入實現了功能集中開發,任何工程團隊都可以使用這些功能來減少 SBOM 工具和服務的重複並加速 SBOM 的採用。首先確定、管理及發佈不同類型的軟體,並建立集中化管理及服務的要求以支持所有軟體發佈類型。 4 軟體安全統一承諾:思科多個工程組織協作推出 SBOM 強調了我們致力於滿足客戶需求。首先獲得公司高階管理層的支持;在思科,我們定期向工程和安全高階管理者及組織通報最新情況。 雖然思科向外發佈了Software Bill of Materials (SBOM) 這是向前邁出的重要一步,但眾多行業仍處於 SBOM 發展的早期階段,在思科,我們將繼續尋找需要改進的領域。SBOM 必須是軟體安全過程的必需物,未來我們仍會朝以下繼續發展: 1 提高 SBOM 的準確性和完整性:SBOM 工具需要一段時間才能變得穩定、可擴展並跨編程語言、版本控制系統、編譯器、CI/CD 和自動化工具最大限度地減少人為干預。 2 思科繼續參加國際技術標準及SBOM社群,並參與技術測試、文件測試、和驗證活動,以學習、改進並了解客戶需求。 3 希望與 SBOM 生態系統中的其他公司合作。 https://lnkd.in/giXVbK_x
Transparency - The Trust Center
cisco.com
-
SPDX SBOM reposted this
The in-development SPDX SBOM v3.0 will include major changes, including new support for AI, datasets, build information, and more. Here's a preview of what to expect. #SBOM
SPDX 3.0 Is Released - FOSSA
fossa.com
-
Cisco is proud to announce the general availability of an entirely new capability in the software industry and a first for Cisco: the distribution of SPDX-formatted Software Bill of Materials (SBOMs). SBOMs are a crucial step forward in providing visibility and ultimately, greater resilience across the entire software supply chain. As of June 2023, most customers and partners can request an SBOM for any supported on-premise Cisco software released after September 2021. By Jeff S. https://lnkd.in/g_axHJng
Demonstrating Transparency through Software Bill of Materials (SBOM)
blogs.cisco.com