OWASP Foundation Pursues Ecma International Standardization of CycloneDX - How This Benefits CycloneDX Adopters

image

Steve Springett and Kayla Heard-Rising

Wednesday, October 11, 2023

The OWASP Foundation recently announced its membership in Ecma International, a leading standards development organization comprised of key global technology companies.

Ecma International consists of administrative and executive groups that maintain the organization, Technical Committees that do the work to create and maintain standards, and the General Assembly, which provides feedback and votes to approve on proposed standards. The OWASP Foundation is joining as a member of Ecma International and together are laying the foundation to form a Technical Committee dedicated to pursuing and maintaining standardization of the CycloneDX specification.

This development is highly beneficial not only to the OWASP Foundation, but also to the software engineers and SecOps professionals currently using CycloneDX. These benefits include:

  • Input from major players in the tech industry – The Ecma General Assembly is comprised of organizations highly influential in technology development and innovation. Standardization of CycloneDX must be approved by these organizations, and at the Technical Committee level, they will have the opportunity to vote and/or provide input on what industry needs from the CycloneDX standard. This exponentially improves the team’s avenues to gather user needs and better serve the tech industry.
  • Stronger direction towards software and system transparency - Ecma International is creating a Technical Committee within Ecma (TC54 - Software and System Transparency), together with the OWASP Foundation to further the development of CycloneDX features that emphasize transparency. As an example, CycloneDX v1.6 will introduce support for attestations of compliance with any standard, linking compliance requirements with a body of evidence within the SBOM so that both internal and external stakeholders are aware of the degree and certainty of compliance. Generation of a CycloneDX xBOM is already a means for technology providers to be transparent with stakeholders about dependencies, vulnerabilities, and many other aspects of their product, so this direction is a natural evolution of the CycloneDX standard with significant potential for innovation within the TC54 committee.
  • More eyes on release quality, with a positive impact to release velocity – Ecma International manages effective iterations on technical standards under the watchful eye of experienced colleagues and well-established efficient support structures. In short, CycloneDX users can expect more value with each release and more frequent responses to user needs. The Ecma International’s Technical Committee will include representation from OWASP, members from Ecma including ServiceNow, IBM, and Bloomberg, with additional support from Ecma secretariat to provide guidance and increase velocity.
  • Increased ease of adoption in the workplace – Through the CycloneDX Technical Committee and General Assembly at Ecma International, numerous influential tech companies will not only become familiar with the functions and benefits of the CycloneDX standard, but also have a hand in its shaping and improving. As a result, engineers or SecOps will likely have a smoother path to stakeholder familiarity and approval when seeking to incorporate CycloneDX BOMs into their work projects.
  • Stable and solid international standardization means a decreased possibility of being required to migrate to a different standard – Joining Ecma International and pursuing Ecma standardization continues the trend of CycloneDX becoming an international standard. Ecma International has liaisons with other mainstream standardization organizations, such as ISO and IEC, with over 240 Ecma standards also having been published by ISO and IEC. CycloneDX is already the preferred SBOM standard for the medical device industry, the US national defense industry, the Center for Medicare and Medicaid Services, and the security branches of several world governments. As the CycloneDX standard becomes an increasingly approved, accepted and recognized standard worldwide, the likelihood decreases that current adopters will be forced by industry or government regulations to re-implement their SBOM generation, validation, and consumption processes to use another standard.
  • Strengthening CycloneDX’s position as a free, open-source standard – By nature, Ecma International standards are freely available and must not be hidden behind a paywall. Ecma membership ensures that CycloneDX will remain a free-to-use resource for the benefit of all.

For CycloneDX community members who participate in building the standard, there are two key aspects to note regarding the OWASP Foundation’s membership with Ecma International:

  • There will be no change to the day-to-day method of developing the CycloneDX standard. This is currently accomplished through feature working groups staffed by volunteer participants, also known as our community group. Membership in Ecma International introduces a separate technical committee that will focus on final technical review and verification, further checks that critical needs are being met, governance, and the formalities of ratifying CycloneDX as an international standard. While this may result in new initiatives, features, and working groups, the purpose of the technical group is mostly separate from that of the community group.
  • CycloneDX community members are not required to become members of Ecma International to continue participating in working groups. Although many international standards require a paid membership to participate in developing that standard, Ecma International standards are freely available for viewing or contribution. This aligns with the OWASP Foundation’s vendor neutrality clause, which holds that any organization has an equal seat at the table and an equal opportunity to participate in building CycloneDX, regardless of membership status or financial contribution. If interested, members of the community are encouraged to participate in the governance of CycloneDX’s formal standardization via Ecma membership.

In summary, the OWASP Foundation’s collaboration with Ecma International continues a positive trend of international standardization and community-led development of CycloneDX; preserving the inclusivity and equality of the CycloneDX community group while inviting experienced leaders in the tech industry to guide the CycloneDX high-level strategy through the formation of an Ecma International technical committee.

Get involved with CycloneDX and Ecma

  • For more information on CycloneDX milestones and the latest developments on our Technical Committee in Ecma International, go to https://cyclonedx.org/news/.
  • CycloneDX has a rich community of contributors, supporters, and adopters helping each other to drive innovation and change. It is quick and easy to join, and all new participants are welcome.
  • Visit https://www.ecma-international.org/ to:
    • Learn more about Ecma International.
    • Browse their technical standards, which have always been freely available since Ecma’s founding.
    • Apply for membership to reinforce the formal governance and review the activities of TC54.