惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
Lifecycle events are part of the secure supply chain | OWASP Foundation
2024-11-26 · via OWASP
image

Tuesday, November 26, 2024

A new OWASP project - Common Lifecycle Enumeration - aims to standardize encodings of product lifecycle events, such as end-of-life, end-of-support and others. The specification will become an ECMA International standard when ready. Read more about this exciting new OWASP project!

Digital products, both hardware and software have a lifecycle that mirrors human life - they are born, grow and develop, and eventually come to an end, just like ourselves. However, there are many more changes in a product’s lifecycle that need to be captured, both for commercial products and open source software. The end-of-life state will affect many users of a product in various ways and needs to be communicated in a way that supports a high degree of automation.

When building a product today, we combine components from a range of upstream vendors and open source projects - a motherboard, operating system, sensors, software libraries and tools. The bill-of-materials (BOM) is a necessary tool to manage both hardware and software during the lifetime of the product. The BOM, when combined with lifecycle events, provides a foundation for automating and proactively managing each product’s lifecycle.

Regulators require product lifecycle management

New regulations, like the recently adopted EU Cyber Resilience Act, enforces a lifecycle management process where manufacturers are obliged to maintain security through the product’s entire lifecycle, from purchasing to decommissioning. This means manufacturers must ensure that the product and all components are secure, kept up-to-date, and free of exploitable vulnerabilities.

The OWASP CycloneDX bill-of-materials standard can cover many aspects of a product, both software and hardware. But one thing that’s been missing is just the lifecycle events, like end-of-support, end-of-life and end-of-sales. For Open Source projects there are similar events covering “LTS release support”, “security fixes only”, “stable” and other variants.

Monitoring the life state of a product or component is essential

A manufacturer needs to be assured that components from upstream vendors and projects are supported, otherwise the manufacturer assumes full responsibility.

A customer, through their IT organization, also wants to be able to plan their inventory and capture this information from all vendors. Products without any support need to be phased out in a controlled and planned way with as few surprises as possible.

Lifecycle management requires a high degree of automation

This exchange of information across the supply chain needs to be both enumerated in a standard format and automatically exchanged. Rest assured that OWASP is working on all fronts here.

The OWASP Common Lifecycle Enumeration (CLE) project is actively working on a standard for capturing these events. This will be part of the effort to standardize OWASP standards in ECMA TC54. The summer of 2024 CycloneDX became an ECMA standard and more is on the way. A new working group, ECMA TC54 TG3, was formed in October 2024 to lead the standardization alongside working groups for the Package URL (PURL) and the Transparency Exchange API.

How OWASP CLE fits into other work

The CLE syntax will be adopted by the OWASP Transparency Exchange API (TEA) working group (also known as “Project Koala”) that creates a standardized set of APIs for publishing and consuming software and hardware transparency artifacts like SBOM, HBOM, VEX/CSAF vulnerability information, IN-Toto attestations, SCITT statements and much more. With TEA the interaction between customers and vendors will be highly automated. A standard API leads not only to efficient workflows, but also keeps costs for integration under control. Many vendors of platforms have shown interest in integration TEA into their systems, including OWASP Dependency Track, a leading open source platform for software transparency, license compliance and vulnerability management.

If you’re interested, all are welcome to join the work in the OWASP common lifecycle enumeration project!

https://owasp.org/www-project-common-lifecycle-enumeration/

Benji Visser
Leader of OWASP CLE

Olle E. Johansson
Leader of OWASP CycloneDX project Koala