TMCnet News
SPDX Becomes Internationally Recognized Standard for Software Bill of MaterialsSAN FRANCISCO, Sept. 9, 2021 /PRNewswire/ -- The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange® (SPDX®) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an independent, non-governmental standards body. Intel, Microsoft, Siemens, Sony, Synopsys, VMware and WindRiver are just a small sample of the companies already using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains. "SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena," said Jim Zemlin, executive director, the Linux Foundation. "SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain." Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks, and establish a starting point for their remediation. SPDX is the result of ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors - making it the most robust, mature, and adopted SBOM standard. "As new use cases have emerged in the software supply chain over the last decade, the SPDX community has demonstrated its ability to evolve and extend the standard to meet the latest requirements. This really represents the power of collaboration on work that benefits all industries," said Kate Stewart, SPDX tech team co-lead. "SPDX will continue to evolve with open community input and we invite everyone, including those with new use cases, to participate in SPDX's evolution and securing the software supply chain." For more information on how to participate in and benefit from SPDX, please visit: https://spdx.dev. To learn more about how companies and open source projects are using SPDX, recordings from the "Building Cybersecurity into the Software Supply Chain" Town Hall that was held on August 18th are available, and can be viewed at: https://events.linuxfoundation.org/supply-chain-town-hall/ ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland. Its membership represents more than 165 national standards bodies with experts who share knowledge and develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges. Supporting Comments Intel Microsoft Siemens Sony Synopsys VMware Wind River About SPDX The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. Media Contact Logo - https://mma.prnewswire.com/media/455385/The_Linux_Foundation_Logo.jpg SOURCE The Linux Foundation |