The Open Worldwide Application Security Project (OWASP) announced the launch of OWASP CycloneDX version 1.5, a new standard in the Bill of Materials (BOM) domain that specifically targets issues of transparency and compliance within the software industry. 

CycloneDX v1.5 goes beyond established standards, by introducing ML transparency (ML-BOM), Formulation (MBOM), and enhanced support for SBOM quality indicators. 

This release extends the BOM beyond its current support for hardware, software, and services. The objective is to provide organizations with a more robust capability for identifying and mitigating supply chain risks.

ML-BOM is considered an advancement in BOM technology that is beneficial to developers. Through ML-BOM, CycloneDX delivers insights regarding the machine learning models used in software systems. This increased level of transparency enables stakeholders to gain a comprehensive understanding of the training and deployment methods utilized. This not only guarantees accountability but also fosters ethical artificial intelligence (AI) practices.

“This release of the CycloneDX specification is a milestone for any cybersecurity-aware company that wants to produce mature BOMs that capture critical information to address security risk and compliance assessments, especially in the area of Continuous Integration and Delivery (CI/CD) or “manufacturing” of the BOM’s subject software, hardware or service,” said Matt Rutkowski, OWASP Maintainer and CycloneDX Contributor at IBM.

In aiding organizations to fully utilize SBOMs, CycloneDX has launched the first in a series of guides. Their publication, “Authoritative Guide to SBOM, Implement and Optimize Use of Software Bill of Materials” is accessible now. This comprehensive 60-page document delves into essential and advanced topics, offering considerable benefits for all organizations. The guide can be found at https://cyclonedx.org/guides.

Concurrent with the unveiling of CycloneDX v1.5, OWASP has initiated the development of CycloneDX v1.6, which will introduce the Cryptography Bill of Materials (CBOM) to the standard.