Steve Springett, OWASP Cyclone DX leade

Steve Springett

The CycloneDX standard continues to evolve to meet the increasing demands of software transparency, AI accountability, and supply chain security. Version 1.7 introduces targeted improvements including improvements for cryptographic assets, and added support for patents and TLP. But 2.0 is a major architectural shift: a modular, model-driven approach designed to increase reuse, expressiveness, and long-term maintainability.

This session will walk through the new capabilities introduced in CycloneDX 1.7 and preview the roadmap to 2.0. We’ll discuss practical benefits for tool developers and adopters, explain how the new model structure works, and offer guidance for preparing for the transition. Whether you’re building SBOM tooling, managing compliance, or contributing to the standard, this talk will equip you with the latest and next directions for CycloneDX.


Open Source Security Foundation
OWASP Foundation
Open regulatory compliance working group (ORCWG.ORG)