Home PC News SPDX is now official data standard for software bill of materials

SPDX is now official data standard for software bill of materials

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

The Software Packet Data Exchange (SPDX), a file format and open standard used for more than a decade to document all the components in a piece of software, is now an internationally recognized standard for software bill of materials (SBOM).

The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nation’s cybersecurity. Securing open source software used within federal information systems was a part of this order, including:

… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.

Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.

This essentially means a full list of proprietary and open source libraries, modules, and APIs. It also entails outlining the relationship across all components and dependencies. With this inventory in place, it becomes easier to track and trace components used across the software supply chain and identify inherent vulnerabilities.

Rubberstamp

Under the auspices of the Linux Foundation, SPDX had already emerged as a de facto SBOM for countless companies, including Microsoft, Intel, Siemens, Sony, Synopsys, VMware, and WindRiver. But it has now been rubberstamped by the International Organization for Standardization (ISO), the global organization that develops technical, industrial, and commercial standards.

This means SPDX is now an official open standard data format for conveying all the software metadata information throughout the supply chain. It also fits into the broader governmental push toward SBOMs — Biden’s executive order specifically name-checked three existing data standards that would fit the bill, including CycloneDX, SWID tags, and SPDX.

“SPDX SBOMs make it easy to produce U.S. Presidential Executive Order-compliant SBOMs, and the direction that SPDX is taking with the design of their next-gen schema will help further improve the security of the software supply chain,” Adrian Diglio, Microsoft’s principal program manager of software supply chain security, noted in a press release.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Most Popular

Recent Comments