Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
215680 TECHREPUBLIC 2021-9-9:
SPDX becomes internationally recognized standard
1.000 Find similar Compare side-by-side
215679 VENTUREBEAT 2021-9-9:
SPDX is now official data standard for software bill of materials
0.981 0.642 Find similar Compare side-by-side
215739 ZDNET 2021-9-8:
The Open Source Initiative names Stefano Maffulli as its first Executive Director
0.004 0.480 Find similar Compare side-by-side
215418 VENTUREBEAT 2021-9-6:
Open source can boost EU economy and digital autonomy, study finds
0.424 Find similar Compare side-by-side
215657 VENTUREBEAT 2021-9-9:
Open source security scanning platform Snyk raises $300M
0.003 0.407 Find similar Compare side-by-side
215500 ZDNET 2021-9-8:
Open source matters, and it's about more than just free software
0.002 0.394 Find similar Compare side-by-side
215973 VENTUREBEAT 2021-9-10:
3 brilliant roles to apply for this weekend
0.368 Find similar Compare side-by-side
215594 ZDNET 2021-9-7:
Linux boosts Microsoft NTFS support as Linus Torvalds complains about GitHub merges
0.364 Find similar Compare side-by-side
215857 VENTUREBEAT 2021-9-13:
LevaData Raises $47M in Series C Funding
0.359 Find similar Compare side-by-side
215633 ZDNET 2021-9-10:
HAProxy urges users to update after HTTP request smuggling vulnerability found
0.359 Find similar Compare side-by-side
215654 VENTUREBEAT 2021-9-8:
How organizations can improve security operations
0.342 Find similar Compare side-by-side
215496 ZDNET 2021-9-8:
Operation Chimaera: TeamTNT hacking group strikes thousands of victims worldwide
0.338 Find similar Compare side-by-side
215865 VENTUREBEAT 2021-9-13:
Tenable acquires infrastructure-monitoring startup Accurics
0.336 Find similar Compare side-by-side
215523 ZDNET 2021-9-7:
Microsoft joins Open Infrastructure Foundation
0.333 Find similar Compare side-by-side
215368 VENTUREBEAT 2021-9-8:
Microsoft joins OpenInfra Foundation to support open source infrastructure
0.330 Find similar Compare side-by-side
215855 VENTUREBEAT 2021-9-13:
CyberSaint Recognized in Three Gartner® Hype Cycle™ Reports
0.319 Find similar Compare side-by-side
215860 VENTUREBEAT 2021-9-13:
JFrog acquires Upswift to bring IoT software updates to DevOps
0.311 Find similar Compare side-by-side
215806 ZDNET 2021-9-9:
CentOS clone Rocky Linux gets technical support
0.306 Find similar Compare side-by-side
216056 TECHREPUBLIC 2021-9-13:
Protect your endpoints with top EDR software
0.290 Find similar Compare side-by-side
215741 ZDNET 2021-9-8:
Best cross-platform data migration tool 2021
0.289 Find similar Compare side-by-side
215637 VENTUREBEAT 2021-9-9:
The CapStreet Group Announces Investment in WIN-911
0.286 Find similar Compare side-by-side
215743 ZDNET 2021-9-8:
Best computer science certification 2021
0.286 Find similar Compare side-by-side
215537 TECHREPUBLIC 2021-9-7:
Linux 101: What are environment variables?
0.286 Find similar Compare side-by-side
215459 VENTUREBEAT 2021-9-8:
Red Hat to help bring climate impact data to global finance industry
0.285 Find similar Compare side-by-side
215745 ZDNET 2021-9-8:
Atlassian CISO defends company's Confluence vulnerability response, urges patching
0.282 Find similar Compare side-by-side

1

ID: 215680

URL: https://www.techrepublic.com/article/spdx-becomes-internationally-recognized-standard/

Date: 2021-09-09

SPDX becomes internationally recognized standard

The Linux Foundation announced Thursday the Software Package Data Exchange (SPDX) specification has been published as ISO/IEC 5962:2021 and recognized as the open standard for security, license compliance and other software supply chain artifacts.  Software bills of materials are used to communicate information in policies or tools to ensure compliant, secure development across global software supply chains.  "SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed throughout supply chains," said Jim Zemlin, executive director, the Linux Foundation, in a press release. "The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena. SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain." ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland.  Because most applications today are assembled using open source software, a SBOM accounts for the software components contained in an application and details their provenance, license and security attributes. This accounting helps organizations track and trace components across the software supply chain so they can identify issues, risks and establish starting points for their remediation if necessary. The transparency provided by an SBOM is particularly helpful in thwarting cyberattacks, said Kate Stewart, vice president of Dependable Embedded Systems at the Linux Foundation. " An SBOM makes it easier to summarize the software that is actually running on a system," she said. "Improving the transparency of the software running on a system,  enables automatic detection if there is a vulnerability and cross references to vulnerability databases on an as needed basis." SPDX evolved organically over the last 10 years through the collaboration of hundreds of companies, making it the most mature and adopted SBOM standard, the Linux Foundation said.  Rust: What developers need to know about this programming language (free PDF). (TechRepublic). The new standard will make supply chain licensing compliance easier, as well, because open source tools like FOSSology, ORT, scancode and sw360 already support SPDX, said Oliver Fendt, senior manager, open source at Siemens, in a statement.  "SPDX is the essential common thread among tools under the automating compliance tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software," said Rose Judge, ACT TAC chair and open source engineer at VMware, in a statement. Information on how to participate in and benefit from SPDX can be found at https://spdx.dev. More information on how companies and open source projects are using SPDX, can be found at https://events.linuxfoundation.org/supply-chain-town-hall/ . From the hottest programming languages to the jobs with the highest salaries, get the developer news and tips you need to know. Weekly