External Links
Useful resources and links for SBOM and supply chain security
This page contains a curated collection of external resources that provide valuable information about SBOM, supply chain security, and related topics.
Standards Organizations
SPDX
- Website: https://spdx.dev/
- Description: The Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information
- Key Resources: SPDX specification, tools, and examples
CycloneDX
- Website: https://cyclonedx.org/
- Description: CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities
- Key Resources: Specification, tools, examples, and use cases
OpenChain
- Website: https://www.openchainproject.org/
- Description: Industry standard for open source license compliance
- Key Resources: Specification, training materials, and certification programs
Government and Regulatory
CISA (US)
- Website: https://www.cisa.gov/sbom
- Description: US Cybersecurity and Infrastructure Security Agency SBOM resources
- Key Resources: SBOM guidance, minimum elements, and tools
NIST (US)
- Website: https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
- Description: National Institute of Standards and Technology cybersecurity resources
- Key Resources: SSDF framework, SBOM guidance, and security guidelines
ENISA (EU)
- Website: https://www.enisa.europa.eu/
- Description: European Union Agency for Cybersecurity
- Key Resources: Cybersecurity guidelines, threat landscape reports
MSB (Sweden)
- Website: https://www.msb.se/
- Description: Swedish Civil Contingencies Agency
- Key Resources: National cybersecurity strategy and guidelines
Industry Initiatives
Linux Foundation
- Website: https://www.linuxfoundation.org/projects/
- Key Projects: SPDX, OpenSSF, Sigstore, SLSA
- Description: Open source projects for software supply chain security
OpenSSF
- Website: https://openssf.org/
- Description: Open Source Security Foundation
- Key Resources: Security scorecards, best practices, tools
SLSA
- Website: https://slsa.dev/
- Description: Supply-chain Levels for Software Artifacts
- Key Resources: Framework specification, implementation guidance
Tools and Platforms
SBOM Generation Tools
- Syft: https://github.com/anchore/syft
- SPDX Tools: https://github.com/spdx/tools
- CycloneDX CLI: https://github.com/CycloneDX/cyclonedx-cli
SBOM Analysis Tools
- SBOM Analyzer: https://sbom.observer/
- Grype: https://github.com/anchore/grype
- Dependency-Track: https://dependencytrack.org/
Vulnerability Databases
- NVD: https://nvd.nist.gov/
- OSV: https://osv.dev/
- VEX Hub: https://vex.dev/
Research and Academia
Academic Papers
- Software supply chain security research
- SBOM adoption studies
- Vulnerability analysis methodologies
Industry Reports
- State of software supply chain reports
- SBOM adoption surveys
- Security incident analysis
Community Resources
Forums and Discussion Groups
- SPDX working groups
- CycloneDX community discussions
- OpenSSF community forums
Events and Conferences
- Software supply chain security conferences
- SBOM-focused workshops and meetups
- Industry standards meetings
Training and Certification
Online Courses
- SBOM fundamentals training
- Supply chain security courses
- Standards-specific training materials
Certification Programs
- OpenChain certification
- Cybersecurity certifications with SBOM components
- Vendor-specific training programs
This list is regularly updated to reflect the evolving landscape of SBOM and supply chain security resources. For the most current information, always refer to the official sources.