OASIS Open, a global open-source and standards organization, has announced the formation of a technical committee to standardize supply chain information models.
The aim of the Open Supply Chain Information Modeling (OSIM) technical committee is to build a unifying framework that sits on top of existing SBOM data models, such as CSAF, CycloneDX, OpenVEX, and SPDX. The framework isn't intended to replace current models, but rather to bring clarity to software supply chain partners, mitigate vulnerabilities and disruptions, reduce security risks, and make it easier for companies to plan for upgrades and contingencies, OASIS Open said.
Jay White, security principal program manager at Microsoft and co-chair of the OSIM technical committee, said reports created using the framework will look the same and be readily actionable.
"What OSIM wants to do is standardize information models so the taxonomies are similar."
—Jay White
In addition to Microsoft, other backers of OSIM include Checkmarx, Cisco, Cyware, Google, IBM, Legit Security, Root, SAP, the U.S. National Security Agency (NSA), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Allan Friedman, senior technical advisor at the CISA, said the aim of OSIM is to bring greater visibility to the software supply chain.
“We have many of the basic building blocks for software transparency and security, including SBOM, VEX, and CSAF. This work by OASIS will facilitate automation for easier and cheaper implementation and tooling and help provide a unifying supply chain framework and raise the level of collaboration across industries.”
—Allan Friedman
Isaac Hepworth, group product manager at Google and OSIM's co-chair, added that the initiative represents an important effort to address the need for greater structure and comprehensibility of software supply chains.
“By establishing standardized information models, we can enhance transparency, interoperability, and resilience in end-to-end operations — ultimately aiding cyber-risk management and protecting critical infrastructure.”
—Isaac Hepworth
Here's what you need to know about OSIM — and what experts have to say about the initiative's potential impact on improving software supply chain security.
[ See Webinar: SBOMs Are Having a Moment. How to Make Them Actionable ]
OSIM: The practical value — and the promise
First and foremost, OSIM aims to address the problem of the proliferation of supply chain information models, each of which aims to solve a specific problem or target a particular technology. Liav Caspi, chief technical officer at Legit Security, said there is a lot of confusion and a knowledge gap on using all those models to bring trust into the software supply chain.
"Evidence of that is that supply chain attacks are on the rise, and there are no practical solutions yet to mitigate them from an industry perspective."
—Liav Caspi
John Gallagher, vice president of Viakoo Labs, said that, as with the early stages in other technologies, various supply chain information models have some overlap. But he said each has characteristics and data that make it more suitable for a particular use versus another model.
“For example, OpenVEX might have some advantages for IoT/OT systems because of the vulnerability information it carries as compared to CycloneDX, which has a more complete hardware/software BOM.”
—John Gallagher
Jim Routh, chief trust officer at the security firm Saviynt, said OSIM's formation is significant not only because it has the backing of leading enterprise software companies, but also because it provides a clear direction on how to manage the use of the many SBOM data models that have evolved. Routh noted that the framework will also establish automation capabilities to make it easier to manage software supply chains and the implementation of interoperability.
Tamir Passi, senior product director at the security firm DoControl, called the initiative a "huge win" for the security industry because of the big-name players that have signed on to participate. The creation of a standard SBOM solves a gap in software development and helps organizations move closer to having a solid product security posture, Passi said.
“The SBOM provides engineering teams with the ability to maintain the assets used within their SaaS products and provides the mechanism to identify where these exploits and vulnerabilities reside. A standardized SBOM provides the mechanism to enhance the software change process through automation and therefore the upgrade process becomes more efficient and less costly.”
—Tamir Passi
The state of the SBOM: Standardization not enough
The current, non-standardized state of SBOMs can have a detrimental impact on automation — which is key to SBOMs being actionable. With use of SBOMs rapidly accelerating, more effort is needed to reduce the number of options for information models, said Viakoo Labs' Gallagher.
“Lack of standardization of information models slows down automation of threat detection and remediation, prevents consolidation of workflows, and leaves many organizations to expend their own efforts — and possibly head down a dead end — in making SBOMs useful.”
—John Gallagher
The lack of a unified model for information such as vulnerabilities, risks, and materials also slows down collaboration. “Software powers our world, and many industries are slowed down by security and operational consideration. Eventually, better supply chain security and consistency lead to faster innovation and a safer world,” said Legit Security's Caspi.
However, standardization may be only part of the answer, said Neatsun Ziv, CEO and co-founder of OX Security. Technology is evolving quickly, making it hard to build a framework that is relevant and adaptable. It requires a strategic approach that involves collaboration among all stakeholders, independent of vendor offerings. “While I applaud this new initiative by Oasis Open, I believe that, if built too loosely, like the previous standard SARIF [Static Analysis Results Interchange Format], it will be a good basis, but each vendor will implement it in a different way, causing even more confusion,” Ziv said.
“In the end, it will not reduce manual work, or improve how organizations react. It will just create another standard for reporting.”
—Neatsun Ziv
Beyond the SBOM: Less talk, more action on supply chain security
What the industry really needs is to find is a way to reduce the noise, not just standardize it, Ziv said. “The best approach is to provide the necessary context to allow AppSec teams to identify, prioritize and remediate the most critical vulnerabilities affecting our software supply chain security,” he said.
Joe Coletta, product marketing manager and evangelist for ReversingLabs, said the framework proposed by OSIM will serve as a good starting point for mitigating software supply chain risk. However, he said, existing SBOM data models that focus on vulnerabilities capture only a fraction of the full scope of software supply chain threats.
"Meaningful risk management will require assessments that detail the full list of software components, how they map to a broader set of threat categories, their interactions, and compliance status."
—Joe Coletta
