CycloneDX (ECMA‑424)
A full stack Bill of Materials standard providing advanced supply chain capabilities for cyber risk reduction. Supports software, hardware, cryptography, machine learning, services, manufacturing, and operations.
Resources
The primary sources I point clients to.
Everything here is open and free to use. When an engagement starts, we work from these materials rather than a proprietary methodology. No black boxes.
Standards
Specifications I chair or lead.
These are the documents regulators cite and enterprise programs implement. Each is community driven and actively maintained.
OWASP Software Component Verification Standard (SCVS)
A community driven framework for identifying and reducing risk in the software supply chain. Referenced by the U.S. National Institute of Standards and Technology (NIST) in the Secure Software Development Framework (SSDF).
Transparency Exchange API
An Ecma TC54 standard under development for discovering and sharing software transparency information across organizations and ecosystems.
Package‑URL (purl)
A specification for identifying and locating software packages across diverse ecosystems. A foundational identifier across Software Bill of Materials (SBOM), Vulnerability Exploitability eXchange (VEX), vulnerability data, and attestations.
OWASP Common Lifecycle Enumeration (CLE)
A standardized vocabulary for describing software lifecycle states, phases, and events, enabling consistent reasoning about maintenance, support, and end of life.
Ecma International Technical Committee 54 (TC54)
The technical committee chartered to standardize the OWASP CycloneDX Bill of Materials specification and the broader family of software and system transparency standards.
Guides
Authoritative guides.
These are the reference documents I author and maintain for the CycloneDX community. They are written for practitioners and are updated with every specification release.
- Authoritative Guide to SBOM. How to produce and consume Software Bill of Materials (SBOM) documents that are actually useful.
- Authoritative Guide to CBOM. Cryptography Bill of Materials (CBOM), including post quantum cryptography readiness.
- Authoritative Guide to Attestations. Machine verifiable claims about software supply chain artifacts.
- Authoritative Guide to VEX. Using Vulnerability Exploitability eXchange (VEX) to communicate what is and is not exploitable, providing exploitability transparency alongside vulnerability disclosures.
- Authoritative Guide to OBOM. Operations Bill of Materials (OBOM) for runtime and production environments.
- Authoritative Guide to SaaS‑BOM. Software as a Service Bill of Materials (SaaS‑BOM). Transparency for services rather than shipped artifacts.
Open source
Tools in production worldwide.
- OWASP Dependency‑Track. Intelligent Component Analysis platform. Detects risk from the use of third party and open source components.
- CycloneDX tooling. Generators, validators, libraries, and converters across dozens of ecosystems.
- Reference implementations. Code published under the OWASP and CycloneDX GitHub organizations.
Recommended reading
External sources I trust.
Primary source material regulators and practitioners should know. I do not maintain these, but I reference them often and you should too.
- NIST Special Publication (SP) 800‑218. Secure Software Development Framework (SSDF), published by the U.S. National Institute of Standards and Technology.
- EU Regulation 2024/2847. Cyber Resilience Act (CRA).
- Executive Order 14028. Improving the Nation's Cybersecurity.
- Office of Management and Budget (OMB) Memoranda M‑22‑18 and M‑23‑16. Attestation of secure software development practices for U.S. federal agencies.
- FDA guidance on premarket cybersecurity. U.S. Food and Drug Administration guidance, including Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act).
- CISA SBOM resources. Working group outputs and sharing guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
- ENISA guidance on software supply chain. European Union Agency for Cybersecurity (ENISA).
Need a tailored reading list?
Send me a note describing your role, industry, and objective. I will send a short, curated list that cuts through the volume, free of charge.