[Owasp-leaders] NTIA and software bill-of-materials

Steve Springett steve.springett at owasp.org
Fri Feb 1 21:46:44 UTC 2019


I’m part of two working groups for the U.S. National Telecommunications and
Infrastructure Administration (NTIA) which is working with various industry
(including OWASP) to define software transparency through the use of
software bill-of-materials (BOM).

One of the working groups is looking to interview various roles and
different orgs to determine how/if they use BOMs, or what types of things
they care about when it comes to choosing third-party libraries,
procurement of software, and how that effects upstream/downstream projects,
distributors, etc. The orgs do not have to be U.S. Since supply-chain is a
global threat, having non-U.S. representation would also be beneficial.

If anyone is involved in software supply chain risk at their organization
and currently utilizes BOMs (or want to), and is willing to participate,
let me know. If not, no worries, but perhaps you can share with others
within your org that may be closer to software supply chain issues and see
if they want to participate. Both working groups meet every Friday. Feel
free to share my contact info with them.

The types of things these working groups are talking about is a lot of what
I’m trying to solve with the CycloneDX BOM specification, the Package URL
specification, and OWASP Dependency-Track.

*Steve Springett*
About:   https://about.me/stevespringett
GitHub:   https://github.com/stevespringett
Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20190201/543bc731/attachment.html>

More information about the OWASP-Leaders mailing list