SPDX becomes a new standard for open source software and security


Supported by many of the world’s largest companies for over a decade, the Software Package Data Exchange (SPDX) specification is now an internationally recognized ISO / IEC JTC 1 standard.

The Linux Foundation announced Thursday that the SPDX specification has been released as ISO / IEC 5962: 2021. It is now the open standard for security, license compliance, and other software supply chain artifacts.

This comes at a time of transformation for software and supply chain security.

ISO / IEC JTC 1 is an independent, non-governmental standards body based in Geneva. Its members represent more than 165 national standards bodies. Its experts share their knowledge and develop voluntary, consensual and market-relevant international standards that support innovation and provide solutions to global challenges.

With 90% of a modern application assembled from open source software components, this is an important win-win solution for LF and open source.

Intel, Microsoft, Phillips, Sony, Texas Instruments, Synopsys, and VMware are among the global companies that use SPDX to communicate software nomenclature (SBOM) information in policies or tools to ensure compliant and secure development in business chains. global software supply.

“SPDX plays an important role in building increased trust and transparency in the way software is created, distributed and consumed throughout supply chains. The transition from a de facto industry standard to an official ISO / IEC JTC 1 standard positions SPDX for significantly increased adoption in the global arena, ”Jim Zemlin, executive director of the Linux Foundation, told LinuxInsider.

Zemlin added that SPDX is now perfectly positioned to meet international requirements for software security and integrity throughout the supply chain.

SBOM Big Deal for Open Source

Software security and trust are essential to the success of our industry, according to Melissa Evans, vice president of the Software and Advanced Technologies group and general manager of execution strategy at Intel.

“Intel was an early participant in the development of the SPDX specification and uses SPDX both internally and externally for a number of software use cases,” she said.

SPDX has evolved organically over the past 10 years through the collaboration of hundreds of companies, including leading vendors of Software Composition Analysis (SCA). This makes it the most robust, mature, and adopted software nomenclature standard.

Having an SBOM provides a list of the software components contained in an application, whether the software is open source, proprietary, or third party. It details their quality, license and security attributes.

SBOMs are used as part of a foundational practice to track and trace components through software supply chains. SBOMs also help proactively identify software component issues and risks. This, in turn, establishes a starting point for their remediation.

Major users have driven adoption of SPDX

Microsoft has adopted SPDX as the SBOM format of choice for the software it produces, noted Adrian Diglio, senior program manager of software supply chain security at Microsoft. takes with the design of their next-generation scheme will help further improve the security of the software supply chain, ”he said.

SPDX is the essential common thread among the tools under the Automating Compliance Tooling (ACT) umbrella, added Rose Judge, president of ACT TAC and open source engineer at VMware. It allows tools written in different languages ​​and for different software targets to achieve consistency and interoperability around the production and consumption of SBOM.

“SPDX isn’t just for compliance, either. The well-defined and constantly evolving specification is also able to represent security and supply chain implications. This is extremely important to the growing community of SBOM tools, as they aim to represent in depth the intricacies of modern software, ”said Judge.

The SPDX format greatly facilitates the sharing of software component data throughout the supply chain. Wind River has been providing software nomenclature to its customers using the SPDX format for eight years, observed Mark Gisi, director of the Wind River Open Source Program office and chair of the OpenChain specification.

“Often, customers request SBOM data in a custom format. Standardization on SPDX has allowed us to deliver better quality SBOM at lower cost, ”he said.

For more details

To learn more about how businesses and open source projects are using SPDX, the recordings of the “Building Cyber ​​Security in the Software Supply Chain” town hall held on August 18, 2021 are available and may be viewed here.


Leave A Reply