OWASP CycloneDX
Founded 2017. International standard 2024.
A full stack Bill of Materials (BOM) standard covering software, hardware, cryptography, machine learning, services, and operations. Adopted across public and private sectors globally.
About
Building the language of software transparency.
I have spent the last decade creating the standards, tools, and practices that organizations now rely on to understand the software they build and consume. This page is a brief account of that work.
Biography Steve Springett
Chicago Northshore. Advisor, author, speaker.
I have been deeply immersed in software supply chain security for more than a decade, founding and chairing the open standards that now define how organizations describe and exchange software transparency information.
My journey with the Open Worldwide Application Security Project (OWASP) began in 2012. I am a lifetime OWASP member and currently serve as Chair of the OWASP Global Board of Directors, helping drive the continued growth of the foundation and its mission to make secure software a reality through open collaboration, education, and innovation.
Alongside board service, I founded and chair the OWASP CycloneDX Core Working Group. What began as an OWASP project has grown into one of the most widely adopted SBOM standards in the world and, in 2024, became an international standard through Ecma International as ECMA‑424. I also lead the OWASP Dependency‑Track project, which recently celebrated its ten year anniversary, and coauthored the OWASP Software Component Verification Standard (SCVS), which is referenced in its entirety in the NIST Secure Software Development Framework.
I founded Ecma International Technical Committee 54 (TC54) and chaired it during its first two years. TC54 is the home of the international standards program on software and system transparency, including CycloneDX, Package‑URL, OWASP Common Lifecycle Enumeration (CLE), and the Transparency Exchange API. This work is reshaping how software evidence is discovered, exchanged, and verified across the supply chain.
Outside of standards and advisory work, I write, speak, and teach. I am passionate about helping organizations identify and reduce risk from the software they build and consume, and I believe the next decade of security gains will come from better transparency rather than better perimeters.
Standards leadership
Roles that shape the rules.
Much of my time is spent convening the working groups, regulators, and practitioners who together decide how software is described and verified.
- Chair, OWASP CycloneDX Core Working Group. Founder of the specification that became ECMA‑424.
- Founder, Ecma International TC54. Software and system transparency: CycloneDX, Package‑URL, CLE, Transparency Exchange API. Chaired the committee during its first two years.
- Convenor, Ecma TC54 TG1. Transparency Exchange API standard.
- Chair, OWASP Global Board of Directors. Governance, strategy, revenue, and global impact.
- Project lead, OWASP Dependency‑Track. Component analysis platform in production at thousands of organizations.
- Coauthor and lead, OWASP Software Component Verification Standard (SCVS). Referenced by the NIST Secure Software Development Framework (SSDF).
Open source
Projects I created or lead.
The work is public. The code, the specifications, and the roadmaps are open. Clients often arrive already using what my teams have built.
OWASP Dependency‑Track
Founded 2013. Ten year anniversary in 2023.
A full stack Component Analysis platform covering hardware, software, and services. Dependency‑Track has been consuming Bill of Materials (BOM) documents since before "Software Bill of Materials (SBOM)" became an industry term, and today helps thousands of organizations identify and reduce risk across their component portfolios.
OWASP Software Component Verification Standard (SCVS)
Referenced in NIST Special Publication (SP) 800‑218.
A community driven framework for measuring the integrity of software supply chain practices.
Ecma International Technical Committee 54 (TC54) and Transparency Exchange API
Ecma International. Founded 2023.
Founded TC54 and chaired it during its first two years. The committee standardizes how software transparency information is discovered, distributed, and verified, including CycloneDX, Package‑URL (purl), the OWASP Common Lifecycle Enumeration (CLE), and the Transparency Exchange API.
Publications
Authored guides and frameworks.
I write the reference material that practitioners and regulators cite. Each guide is maintained and updated as the standards evolve.
- Software Transparency. Technical editor of the book on supply chain security in a software driven society.
- SBOM Authoritative Guide. The reference for producing and consuming Software Bill of Materials (SBOM) documents using CycloneDX.
- CBOM Authoritative Guide. Cryptography Bill of Materials (CBOM), including post quantum cryptography readiness and cryptographic inventory.
- Attestations Authoritative Guide. Machine verifiable claims about software supply chain artifacts.
- OWASP Software Component Verification Standard (SCVS). Coauthor, ongoing lead.
- Multiple whitepapers, talks, and articles across software transparency, vulnerability management, and regulatory response.
Recognition and reach
Where the work shows up.
Press portrait. High resolution versions available on request.
- CycloneDX adopted by U.S. federal agencies, EU Member State regulators, financial services firms, medical device manufacturers, and the broader open source ecosystem.
- OWASP Software Component Verification Standard (SCVS) cited in its entirety by the U.S. National Institute of Standards and Technology (NIST) in the Secure Software Development Framework (SSDF).
- CycloneDX ratified as ECMA‑424, a formal international standard for Bill of Materials (BOM) published by Ecma International.
- Regular speaker at global security and supply chain conferences.
- Frequently interviewed by industry press on SBOM, regulation, and software transparency.
Want the long version?
Ask for a full CV, a speaking kit, or a one page briefing tailored to your board. I am happy to send the right material for the room.