Skip to content

Commit

Permalink
Content update
Browse files Browse the repository at this point in the history
  • Loading branch information
stevespringett committed Mar 25, 2024
1 parent 74b87ed commit 7538b2f
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 30 deletions.
30 changes: 21 additions & 9 deletions SBOM/en/0x02-Preface.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,26 @@
# Preface

Secure supply chains are the foundational building block of modern cyber security. Without being able to describe a system’s components in a machine-consumable way, organizations and software consumers are in the dark if they are at risk of exploitation of known defects or vulnerabilities.

Innovation drives the evolution of Software Bill of Materials (SBOM). I was lucky enough to attend one of the meetings held between the CycloneDX and SPDX teams at a Linux Foundation conference moderated by the fine folks at CISA. The drivers for CycloneDX 1.5 include improvements in interoperability and transparency.

Software authors, from hobbyists to software vendors, can quickly adopt CycloneDX in their tooling, producing artifacts that will help consumers understand and manage the risk of the multitude of software that most organizations rely on daily.

A few years ago, I was involved in a project to review 1700 business-critical applications in 90 days for known software vulnerabilities. If the organization had access to CycloneDX SBOMs, this would have been a trivial task, time that could have been more usefully spent on remediation rather than discovery. Sadly, most of the time was spent working out what software had old faulty components rather than addressing the very real risk of known software vulnerabilities. We were plagued with false positives from the tooling we used simply because scanning software without SBOMs is a heuristic-driven discovery process that is inefficient and wastes a great deal of time we didn’t have. SBOMs resolve these issues, reduce costs, and reduce risk to all involved.

I commend the CycloneDX team for a highly polished revision of their standard, one that evolves the state of the art.
Welcome to the Authoritative Guide series by the OWASP Foundation and OWASP CycloneDX. In this series, we aim to
provide comprehensive insights and practical guidance, ensuring that security professionals, developers, and
organizations alike have access to the latest best practices and methodologies.

At the heart of the OWASP Foundation lies a commitment to inclusivity and openness. We firmly believe that everyone
deserves a seat at the table when it comes to shaping the future of cybersecurity standards. Our collaborative
model fosters an environment where diverse perspectives converge to drive innovation and excellence.

In line with this ethos, the OWASP Foundation has partnered with Ecma International to create an inclusive,
community-driven ecosystem for security standards development. This collaboration empowers individuals to contribute
their expertise and insights, ensuring that standards like CycloneDX reflect the collective wisdom of the global
cybersecurity community.

One standout example of this model is OWASP CycloneDX, which is on track to becoming an Ecma International
standard through Technical Committee 54 (TC54). By leveraging the strengths of both organizations, CycloneDX is poised
to become a cornerstone of security best practices, providing organizations with a universal standard for software and
system transparency.

As you embark on your journey through this Authoritative Guide, we encourage you to engage actively with the content
and join us in shaping the future of cybersecurity standards. Together, we can build a safer and more resilient digital
world for all.

---

Expand Down
18 changes: 10 additions & 8 deletions SBOM/en/0x30-Use_Cases.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,13 +89,12 @@ CycloneDX is capable of describing the following types of components:
CycloneDX supports multiple methods to assert identity including:

- Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to.
- SWID: Software ID (SWID) as defined in [ISO/IEC 19770-2:2015](https://www.iso.org/standard/65666.html) is used primarily to identify installed software.
- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located.
- CPE: The [Common Platform Enumeration](https://nvd.nist.gov/products/cpe) (CPE) specification was designed for operating systems, applications, and hardware devices. CPE is maintained by the NVD.
- SWID: Software ID (SWID) as defined in [ISO/IEC 19770-2:2015](https://www.iso.org/standard/65666.html) is used primarily to identify installed software.
- OmniBOR: The [OmniBOR](https://omnibor.io/) Artifact ID is capable of identifying every source code file incorporated into each built artifact.
- SWHID: A [Software Heritage ID](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html) is a unique identifier assigned to software artifacts to facilitate their identification, tracking, and preservation.

Assertion of identity can also be substantiated in the form of evidence, which includes the methods and techniques used
during analysis, the confidence, and the tool(s) that performed the analysis. Refer to the "Evidence" chapter for more
information.

The following example illustrates component identity in CycloneDX.

Expand All @@ -107,6 +106,8 @@ The following example illustrates component identity in CycloneDX.
"version": "1.0.0",
"cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
"purl": "pkg:maven/com.example/[email protected]",
"omnibor": "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
"swhid": "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2",
"swid": {
"tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
"name": "Acme Awesome Library",
Expand All @@ -123,9 +124,10 @@ The following example illustrates component identity in CycloneDX.
CycloneDX also supports several identifiers specific to hardware devices. Refer to https://cyclonedx.org/capabilities/hbom/
for more information.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>
Assertion of identity can also be substantiated in the form of evidence, which includes the methods and techniques used
during analysis, the confidence, and the tool(s) that performed the analysis. Refer to the "Evidence" chapter for more
information.


## Vulnerability Management
CycloneDX is ideal for vulnerability management and impact analysis through the support of comprehensive inventory and
Expand Down
4 changes: 4 additions & 0 deletions SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,7 @@ capability of CycloneDX. Identity evidence consists of:

Together, the BOM Maturity Model and native features of CycloneDX can be leveraged to form a high-quality, high-confidence
assessment of SBOM quality.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>
19 changes: 13 additions & 6 deletions SBOM/en/0x45-Cryptographic_Components.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,19 @@ primitive is discovered to be vulnerable or no longer complies with policies and
As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are
using and facilitate the assessment of the risk posture to provide a starting point for mitigation.

The following is a high-level architecture illustrating how cryptographic assets are implemented in CycloneDX.

![CBOM Component Architecture](../../CBOM/en/images/CBOM-Component-Architecture.svg)

Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).

Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
CycloneDX for cryptographic use cases.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>

### Algorithm Example
A cryptographic algorithm is added in the components array of the BOM. The examples below list the algorithm
Expand Down Expand Up @@ -47,12 +60,6 @@ AES-128-GCM.
]
```

Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).

Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
CycloneDX for cryptographic use cases.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>
27 changes: 26 additions & 1 deletion SBOM/en/0x49-Licenses.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# License Compliance
CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of
CycloneDX facilitates open-source and commercial license compliance. By leveraging the licensing capabilities of
CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations,
such as attribution or sharing of source code.

Expand Down Expand Up @@ -136,6 +136,31 @@ intellectual property use cases. Whereas Software Asset Management (SAM) is prim
and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service
within a BOM.

## Security and Quality Considerations for Tracking Commercial Licenses

When a commercial software license expires or the software has reached its licensed limits, a cascading series of
events may occur, leading to security and quality issues, posing significant risks to users and systems. One of the
immediate concerns is the denial of service, where the software ceases to function. If the software is part of a
larger system, the entirety of the system may be at risk. Moreover, expired or exceeded licenses may trigger altered
application behavior, as certain features or functionalities tied to the license may become disabled or restricted.
This alteration can introduce instability, unexpected errors, or even malicious behavior, potentially compromising
the integrity and confidentiality of data.

Expired licenses may lead to being abruptly cut off from essential updates, patches, and support channels provided
by the software vendor. This leaves systems vulnerable to newly discovered vulnerabilities and exploits, as security
patches may no longer be available. Without access to ongoing support, users are left without recourse in the event
of technical glitches or critical issues, leading to prolonged downtime and increased susceptibility to cyberattacks.
Thus, ensuring software licenses remain current is vital for maintaining both the security and quality of software
systems.

Providing commercial license information in CycloneDX BOMs offers a comprehensive solution to these challenges.
By including license details within BOMs, software consumers gain transparency into the licensing status of
components used within a software application. This transparency facilitates effective license management,
enabling organizations to track and monitor license expiration dates and renewal requirements. Consequently,
software consumers can proactively address license expirations, ensuring uninterrupted access to critical
support services, including software updates and security patches. Overall, integrating commercial license
information into CycloneDX BOMs enhances security, quality, and compliance across the software supply chain.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>
14 changes: 8 additions & 6 deletions SBOM/en/0x50-Relationships.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,7 @@ A general dependency graph is unspecified deep and capable of representing both

![Sample Dependency Graph](images/dependency-graph.svg)

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>


The dependency graph above can be codified with the following:

Expand Down Expand Up @@ -118,12 +116,16 @@ As of CycloneDX v1.6, there are two types of dependencies: dependsOn and provide
The dependency type, dependsOn, is leveraged by classic SBOMs to define a complete graph of direct and transitive
dependencies. However, for cryptographic and similar assets, "provides" allows for many additional use cases.

![Dependencies](../../CBOM/en/images/dependencies.svg)
<div style="page-break-after: always; visibility: hidden">
\newpage
</div>

The example shows an application (nginx) that uses the libssl cryptographic library. This library implements the
TLSv1.2 protocol. The relationship between the application, the library and the protocol can be expressed by using the
The following example shows an application (nginx) that uses the libssl cryptographic library. This library implements the
TLSv1.2 protocol. The relationship between the application, the library and the protocol can be expressed by using the
dependencies properties of the SBOM standard.

![Dependencies](../../CBOM/en/images/dependencies.svg)

Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
CycloneDX for cryptographic use cases.

Expand Down

0 comments on commit 7538b2f

Please sign in to comment.