New SPDX support advances continued open source collaboration for best practices in software supply chain security
Anchore, a leader in software supply chain security, announced that Syft, an open source tool that generates a Software Bill of Materials (SBOM), now has the ability to generate information using the Software Package Data Exchange (SPDX) standard which makes it easy to share data across systems and organizations.
Because Syft is easily integrated into a variety of build systems and development tools, developers can now use Syft to automatically generate SBOMs in the SPDX format as part of their existing build processes. Syft users now have an interoperable format to communicate SBOM information including the software components, dependencies and versions that are embedded in software container images and file systems.
Read More: E2open Named A Leader In The 2021 Nucleus Control Tower Value Matrix For Seventh Consecutive Year
“As both enterprises and the open source community continue to adopt the SPDX standard, it’s beneficial to have Syft support SPDX formats that streamline the exchange of SBOMs within and between organizations,” said Kate Stewart, Vice President of Dependable Systems at the Linux Foundation. “We want to encourage use of reliable and innovative open source tools to help secure the software supply chain and prevent breaches. Producing SBOMs in the SPDX format is an essential element of that.”
Read More: SalesTechStar Interview With Mary Pat Donnellon, Chief Revenue Officer At CallRail
SPDX, an internationally recognized ISO standard for SBOMs, is sponsored by the Linux Foundation and is an important element of software supply chain security. The recent United States Cybersecurity Executive Order defines new requirements for an SBOM as part of federal government procurement. Anchore is an active member of the Linux Foundation and supports its continued adoption of SPDX as a way to easily communicate SBOM information across the software supply chain. In a recent Anchore survey, 60% of respondents indicated that securing the software supply chain is a top or significant area of focus.
“With recent software supply chain attacks infiltrating internal software build processes, organizations can leverage SBOMs during the development process to monitor changes in the SBOM and reduce the risk of successful attacks,” said Daniel Nurmi, Anchore CTO and Co-Founder. “Syft is a powerful tool that can inspect container images and source code repositories alike, reporting on dependencies and software packages, all the way down to individual file information. This type of deep inspection and insight makes it possible to identify unintentional or malicious content being installed during application builds.”
Read More: Usability: The Key To RevTech Success