SAN FRANCISCO, June 17, 2021 / PRNewswire / – The Linux Foundation, the nonprofit that enables mass innovation through open source, today announced new industry research, training, and tools – backed by the SPDX industry standard – to accelerate the use of a Software Bill of Materials (SBOM) . in secure software development.
The Linux Foundation is accelerating the adoption of SBOM practices to secure software supply chains with:
- SBOM standard: Stewarding SPDX, the de facto standard for requests and data exchange
- SBOM survey: highlighting the current state of industry practices for setting benchmarks and best practices best
- SBOM training: Provision of a new course to generate an SBOM to accelerate the introduction
- SBOM tools: Allows development teams to create SBOMs for their applications
“As the architects of today’s digital infrastructure, the open source community is able to drive the understanding and adoption of SBOMs in the public and private sectors,” said Mike Dolan, Senior Vice President and General Manager Linux Foundation Projects. “The rise in cybersecurity threats creates a need, anticipated many years ago by the open source community, to standardize the way we share our software. The time has never been more urgent than ever to bring new data to the surface and offer additional resources that improve understanding “about how to adopt and generate SBOMs and then react to the information.”
Ninety percent (90%) of a modern application is composed of open source software components. An SBOM takes into account the open source software components contained in an application, which describe their quality, license and security attributes in detail. SBOMs are used to ensure developers understand what components are flowing through their software supply chains, proactively identify problems and risks, and provide a starting point for resolving them.
The President’s recent executive order to improve the nation’s cybersecurity highlighted the importance of SBOMs in protecting and securing the software supply chain. The National Telecommunications and Information Administration (NTIA) followed the issue of this order by asking for extensive feedback in order to establish a minimum SBOM. The Linux Foundation responded to the NTIA’s SBOM request and here to the presidential order.
SPDX: The de facto open SBOM industry standard
SPDX – a Linux Foundation Project, is the de-facto open standard for communicating SBOM information, including open source software components, licenses and known security vulnerabilities. SPDX has grown organically over the past decade through working with hundreds of companies, including the leading providers of Software Composition Analysis (SCA), making it the most robust, mature, and widely adopted SBOM standard on the market.
SBOM readiness survey
Linux Foundation Research conducts the SBOM Readiness Survey. Deployed next week, it examines barriers to SBOM adoption and future actions to address them related to software supply chain security. The recent U.S. Executive Order on Cybersecurity emphasizes SBOMs, and this survey will help identify industry gaps in SBOM applications. The survey questions address, among other things, tools, security measures, and industries that lead the way in the manufacture and use of SBOMs.
New course: Generating a software bill of materials
The Linux Foundation is also announcing a free online training course on Generating a Software Bill of Materials (LFC192). This course provides a basic understanding of the options and tools available to generate SBOMs and how to use them to improve the ability to respond to cybersecurity needs. It is designed for directors, product managers, open source program office workers, security professionals, and corporate developers who create software. Participants will be given the opportunity to identify the minimum elements for an SBOM, how they can be assembled, and understand some of the open source tools available to aid in the creation and use of an SBOM.
New tools: SBOM generator
Also announced today is the availability of the SPDX SBOM generator, which uses a command line interface (CLI) to generate SBOM information, including your application’s components, licenses, copyrights, and security references, using the SPDX v2.2 specification and in compliance with the currently known minimal elements from NTIA. The CLI currently supports GoMod (go), Cargo (Rust), Composer (PHP), DotNet (.NET), Maven (Java), NPM (Node.js), Yarn (Node.js), PIP (Python), Pipenv (Python) and gemstones (Ruby). It can be easily embedded in automated processes such as continuous integration (CI) pipelines and is available for Windows, macOS and Linux.
Additional resources
About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data and open hardware. The Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of the Linux Foundation’s trademarks, see the Trademark Usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Media contacts
Jennifer Cloer
for Linux Foundation
[email protected]
503-867-2304
SOURCE The Linux Foundation
similar links
www.linuxfoundation.org
source https://collegeeducationnewsllc.com/linux-foundation-announces-software-bill-of-materials-sbom-industry-standard-research-training-and-tools-to-improve-cybersecurity-practices/
No comments:
Post a Comment