Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
215679 VENTUREBEAT 2021-9-9:
SPDX is now official data standard for software bill of materials
1.000 Find similar Compare side-by-side
215680 TECHREPUBLIC 2021-9-9:
SPDX becomes internationally recognized standard
0.981 0.642 Find similar Compare side-by-side
215657 VENTUREBEAT 2021-9-9:
Open source security scanning platform Snyk raises $300M
0.412 Find similar Compare side-by-side
215418 VENTUREBEAT 2021-9-6:
Open source can boost EU economy and digital autonomy, study finds
0.397 Find similar Compare side-by-side
215739 ZDNET 2021-9-8:
The Open Source Initiative names Stefano Maffulli as its first Executive Director
0.380 Find similar Compare side-by-side
215500 ZDNET 2021-9-8:
Open source matters, and it's about more than just free software
0.374 Find similar Compare side-by-side
215633 ZDNET 2021-9-10:
HAProxy urges users to update after HTTP request smuggling vulnerability found
0.344 Find similar Compare side-by-side
215860 VENTUREBEAT 2021-9-13:
JFrog acquires Upswift to bring IoT software updates to DevOps
0.339 Find similar Compare side-by-side
215594 ZDNET 2021-9-7:
Linux boosts Microsoft NTFS support as Linus Torvalds complains about GitHub merges
0.334 Find similar Compare side-by-side
215356 VENTUREBEAT 2021-9-8:
Google taps T-Systems to offer a ‘sovereign cloud’ for German organizations
0.332 Find similar Compare side-by-side
215459 VENTUREBEAT 2021-9-8:
Red Hat to help bring climate impact data to global finance industry
0.316 Find similar Compare side-by-side
215741 ZDNET 2021-9-8:
Best cross-platform data migration tool 2021
0.313 Find similar Compare side-by-side
215855 VENTUREBEAT 2021-9-13:
CyberSaint Recognized in Three Gartner® Hype Cycle™ Reports
0.312 Find similar Compare side-by-side
215654 VENTUREBEAT 2021-9-8:
How organizations can improve security operations
0.308 Find similar Compare side-by-side
215379 ZDNET 2021-9-6:
Zero trust and cybersecurity: Here's what it means and why it matters
0.306 Find similar Compare side-by-side
216056 TECHREPUBLIC 2021-9-13:
Protect your endpoints with top EDR software
0.304 Find similar Compare side-by-side
215857 VENTUREBEAT 2021-9-13:
LevaData Raises $47M in Series C Funding
0.304 Find similar Compare side-by-side
215865 VENTUREBEAT 2021-9-13:
Tenable acquires infrastructure-monitoring startup Accurics
0.297 Find similar Compare side-by-side
215460 ZDNET 2021-9-8:
Microsoft moves its U.S. Federal team under the Azure engineering organization
0.293 Find similar Compare side-by-side
215973 VENTUREBEAT 2021-9-10:
3 brilliant roles to apply for this weekend
0.292 Find similar Compare side-by-side
215368 VENTUREBEAT 2021-9-8:
Microsoft joins OpenInfra Foundation to support open source infrastructure
0.291 Find similar Compare side-by-side
215523 ZDNET 2021-9-7:
Microsoft joins Open Infrastructure Foundation
0.288 Find similar Compare side-by-side
215745 ZDNET 2021-9-8:
Atlassian CISO defends company's Confluence vulnerability response, urges patching
0.287 Find similar Compare side-by-side
215724 ZDNET 2021-9-9:
AWS, Microsoft participated in Databricks' $1.6 billion round of funding
0.287 Find similar Compare side-by-side
216090 ZDNET 2021-9-13:
Brazil debates creation of national strategy to tackle cybercrime
0.284 Find similar Compare side-by-side

1

ID: 215679

URL: https://venturebeat.com/2021/09/09/spdx-is-now-official-data-standard-for-software-bill-of-materials/

Date: 2021-09-09

SPDX is now official data standard for software bill of materials

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now! Let the OSS Enterprise newsletter guide your open source journey! Sign up here. The Software Packet Data Exchange ( SPDX), a file format and open standard used for more than a decade to document all the components in a piece of software, is now an internationally recognized standard for software bill of materials (SBOM). The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nations cybersecurity. Securing open source software used within federal information systems was a part of this order, including: … maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis. Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack. This essentially means a full list of proprietary and open source libraries, modules, and APIs. It also entails outlining the relationship across all components and dependencies. With this inventory in place, it becomes easier to track and trace components used across the software supply chain and identify inherent vulnerabilities. Under the auspices of the Linux Foundation, SPDX had already emerged as a de facto SBOM for countless companies, including Microsoft, Intel, Siemens, Sony, Synopsys, VMware, and WindRiver. But it has now been rubberstamped by the International Organization for Standardization (ISO), the global organization that develops technical, industrial, and commercial standards. This means SPDX is now an official open standard data format for conveying all the software metadata information throughout the supply chain. It also fits into the broader governmental push toward SBOMs — Bidens executive order specifically name-checked three existing data standards that would fit the bill, including CycloneDX, SWID tags, and SPDX. Gaining the ISO seal of approval makes it easier for governments and other organizations to choose SPDX, as ISO compliance is often a pre-requisite. Being an ISO standard means it can be mandated by any organization — commercial, government, etc — around the world in contracts or regulations, which allows for so much more consistency and ease in supply chain security, Kate Stewart, the Linux Foundations vice president of dependable embedded systems, told VentureBeat. It will also be easier for multinationals to adopt SPDX for procurement, security, and legal applications. And the fact that companies such as Microsoft — which already works with government agencies in the U.S. and beyond — is already on board with the SPDX standard, puts them in a strong position moving forward. SPDX SBOMs make it easy to produce U.S. Presidential Executive Order-compliant SBOMs, and the direction that SPDX is taking with the design of their next-gen schema will help further improve the security of the software supply chain, Adrian Diglio, Microsofts principal program manager of software supply chain security, noted in a press release.