We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
The Software Packet Data Exchange (SPDX), a file format and open standard used for more than a decade to document all the components in a piece of software, is now an internationally recognized standard for software bill of materials (SBOM).
The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nation’s cybersecurity. Securing open source software used within federal information systems was a part of this order, including:
… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.
Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.
This essentially means a full list of proprietary and open source libraries, modules, and APIs. It also entails outlining the relationship across all components and dependencies. With this inventory in place, it becomes easier to track and trace components used across the software supply chain and identify inherent vulnerabilities.
Under the auspices of the Linux Foundation, SPDX had already emerged as a de facto SBOM for countless companies, including Microsoft, Intel, Siemens, Sony, Synopsys, VMware, and WindRiver. But it has now been rubberstamped by the International Organization for Standardization (ISO), the global organization that develops technical, industrial, and commercial standards.
This means SPDX is now an official open standard data format for conveying all the software metadata information throughout the supply chain. It also fits into the broader governmental push toward SBOMs — Biden’s executive order specifically name-checked three existing data standards that would fit the bill, including CycloneDX, SWID tags, and SPDX. Gaining the ISO seal of approval makes it easier for governments and other organizations to choose SPDX, as ISO compliance is often a pre-requisite.
“Being an ISO standard means it can be mandated by any organization — commercial, government, etc — around the world in contracts or regulations, which allows for so much more consistency and ease in supply chain security,” Kate Stewart, the Linux Foundation’s vice president of dependable embedded systems, told VentureBeat. “It will also be easier for multinationals to adopt SPDX for procurement, security, and legal applications.”
And the fact that companies such as Microsoft — which already works with government agencies in the U.S. and beyond — is already on board with the SPDX standard, puts them in a strong position moving forward.
“SPDX SBOMs make it easy to produce U.S. Presidential Executive Order-compliant SBOMs, and the direction that SPDX is taking with the design of their next-gen schema will help further improve the security of the software supply chain,” Adrian Diglio, Microsoft’s principal program manager of software supply chain security, noted in a press release.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.