 Hey everyone, we're back here live in Austin at the Linux Foundation Open Source Summit event. This is our third day, but it's technically date two of the event. We started on Monday. This is our OWAS portion of our coverage. I'm really happy to be joined by my friend Andrew Vanderstark. Andrew, welcome. Good to see you. And joining Andrew with me is a new person for me, Steve Springett. Is that good? Indeed, Alan. Also with OWAS. Gentlemen, welcome. Thanks for having us. Thank you. So what brings OWAS to Open Source Summit? S-bombs. S-bombs. We worked with the US government in particular, Alan Friedman, to set up a meeting between the SPDX and Cyclone DX teams. Cyclone DX is OWAS S-bomb standard. It's heavily used and Steve is our co-leader of the Cyclone DX project. Indeed. Congratulations, cool. So tell us about the project and kind of what's going on with it. Yeah, it's a S-bomb standard purpose built for a lot of the cybersecurity use cases. Handles license and intellectual property in those types of use cases as well, but it's primarily focused on cybersecurity and there's a lot of different cybersecurity use cases that we support. A huge focus on automation and we've got really good adoption within the security community. Most major SCA vendors already support Cyclone DX today. There's some IS vendors and mobile vendors, et cetera, that are supporting the standard. So it's been pretty well adopted thus far. We did some preliminary estimates in December of last year. Conservatively, there's around 100,000 organizations today that have adopted Cyclone DX. We have some really interesting data, some actual data on the usage of Cyclone DX, which is in the billions today. So it's definitely being used in mass quantities in a large percentage of the population, but even with 100,000 organizations, that's still small in comparison to the millions of organizations that exist. So there's still a lot of growth potential there. Excellent. 100,000 is an impressive number though, I gotta tell you. So she was something relevant. How long has Cyclone DX been around now? It was created in 2017. The first release was in 2018. A lot of the research that went into Cyclone DX actually predates all of that going back to 2013 with some of the really early OWAS work that we were doing. Absolutely. You know, we were talking off camera about this event. I had an RSA with Jeff Seckoff, so we talked a little bit about S-Poms. Two of the people, they're two friends. I think Andrew probably knows Chensi Wang. Oh yeah, Chensi. Chensi and Carolyn Wang. And we had this discussion around S-Poms. And Chensi made a very interesting observation that I haven't heard before, that one of the things that we need to figure out to overcome wider adoption or enable wider adoption of S-Poms is this notion of IP. So in other words, if I give you the recipe to my software, which an S-Pom may very well be, what's to stop you from brewing your own? And it's fine in open source because in open source, that's kind of the the way we do things. It's not so fine. Right. Not open source. Even though, you know, the not open source software may very well contain a ton of open source in it as it often does, it's still a recipe. It's an IP issue. I think honestly, we do the reference implementation for open source. And if open source has then becomes more trusted than proprietary, the market will follow. So from my perspective, the reality is this little, we actually demonstrate, you can get better security from open source software because of open source, then not only do you have the freedom, you also know that this is somewhat trustworthy. Whereas, if you have proprietary software and they don't want to give you the recipe, well, maybe I don't trust that. I can't use that in this particular scenario. Right. And there is a, you know, there's the distinction between like the recipe versus the raw ingredients, right? You can look on the back of a Coke can and see the ingredients. But you don't have to form your life. Exactly. Exactly. So we're not, you know, the intellectual property concerns and S-bombs can coexist. So I've spoken to several folks here the last couple of days around S-bombs and as one would at any security-themed conference these days. And, you know, what I'm afraid of is the unixation of S-bombs, right? If we have too many standards, too many flavors of S-bombs that aren't necessarily compatible, are we going to have a unique situation, right? Where you need a different application spun up? You know, it's, if you look at S-bom, I kind of equate it to like an automobile, right? Well, you can have an F-150 and you can have a Maserati, right? Is one better than the other? It really depends on what you want to use it for, right? And I think S-bomb formats today are kind of that way. You can use both formats simultaneously. They both bring something, you know, good to the table. We believe at OWAS that we bring a lot of the security use cases to the table. That's kind of our main focus. But SPDX brings its strengths to the table as well. And, you know, organizations can adopt both. And many security vendors can adopt both and they have adopted both. Now, there are security vendors that can either do one format or the other. Now, in the security space, it's typically cyclone because we support a lot of the use cases that, you know, the other format may not. But organizations are free to adopt both of these formats and there is a certain amount of interop between the two. There is. There is to an extent. But if you care about a lot of the other things that are not necessarily common between the formats, they will in fact be lossy. So let's do some table setting if you don't mind for our audience. So cyclone DX is the OWAS standard. SPDX, right? That's the Linux Foundation Open SSF. I was afraid I gave an extra S in there somehow. But Open SSF, that's their standard. You know, I'm reminded in the early days of RSS feeds, we had RSS1, RSS2, Adam, you know, and it was a real pain in the butt, right? Because you wanted to get an RSS feed and read all of your blogs or whatever and depending what RSS version they used, it didn't work till a feed burner came along and it kind of normalized RSS feeds for everyone. I ended up selling to Google for like a hundred million dollars with no revenue. And Dick Kosula was the founder of that. He went on to be a Twitter CEO for a while. But do we need a feed burner? There are translation tools. I mean, I hate to hear that we lose stuff in the sauce though. Yeah, I mean, we're not ready to announce much about this meeting, but that was the reason why the meeting existed is to have a frank and open discussion between the two teams. And we really thank the Linux Foundation for inviting us here. That's good. So you heard it right here first. Stay tuned. I think we're going to see something hopefully come out of this that'll help us all as we kind of rally behind maybe one standard or more interoperability, depending on whichever standard it is you want to pick for your SBOM needs. Now you mentioned 100,000, which boggles my mind 100,000 organizations using it already. What do you think the actual addressable market is though? How many? I don't know. I mean, it's going to be in the millions out of the 100,000 organizations that we've know of adopted it. We know that around 202 million components are represented in Cyclone DX every single month. And the way one tool specifically that was measured that analyzes and consumes these, that equates to about 20 billion checks for components with known vulnerabilities every single month. That's just the data that we know about. And again, it's a substantial number. It's big enough to know that this stuff works. It works in mass. And we can operationalize this without a lot of effort. But it's still small in comparison to the millions of organizations that exist. And the interesting part about the folks that are adopting a lot of this, you know, the early adopters in this space, what I find in the OLAWS community is that the majority of them are using it for internal best practices. They're not necessarily sharing these things out. Well, it's only maybe, certainly within the last year with the White House and everything that we've seen this light where, you know, it's become a thing, right? I think before it was basically for internal practice and internal teams, I think it'll really become commonplace and, you know, de facto when end user organizations, when I go to buy software from you or I go to consume software from you, I say, I need an S-bomb. Even if it's for my compliance, governance and stuff, I need a S-bomb. I think honestly, that's exactly right. And I think the viewer's government here has a huge role. FedRAMP improved the cloud security for so many people. Absolutely. And it didn't say you have to buy AWS. It didn't say you have to buy Azure. No, it just said it'd be FedRAMP certified. Yeah. And that's why I think S-bombs need to go. And I think honestly, the driving factor here is the EO. And that's what we're working on, is how do we get the features we don't have in Cycline DX? How do we get the interops so people who use both don't lose data? And that's, I think, a really good thing. I agree. Yep, 300%. No pressure. But when do you think we might see some side kinds of announcements or moving on this? Well, I'm hoping that we'll have a joint announcement by the beginning of next week. We've made some really good commitments. And I think honestly, the next part is to actually do the work. Well, that's always the easy part. Well, you know. Yeah, I know. Well, I'll tell you this, I am back in our offices next week. I'd love to see an announcement or maybe we can grab someone from Linux Foundation and wonder if both of you want to discuss this further. We'll reach out to Greg Allen, Friedman too. That would be a great panel on S-bombs. I think so. I mean, Kate Stewart is the lady you need to talk to. All right. I'll reach out to her. Hey, beyond S-bombs. Andrew, what else happening with O-Lasp? Well, we have invalid bylaws. And we're going to need all of our members to vote for it. And so we're actually working on a replacement bylaw package at the moment that gives the members what they want because we need the members to actually approve it. So if you remember out there, no vote for this. I see this in my homeowner's association. No one goes to the meetings, but no one will even fill out the proxy forms so that you have a quorum to get things done, a quorum to get things done. So don't let that happen here. Get the O-Lasp bylaws passed. Yep. So we're hoping to do that in conjunction with our next director's election. Very cool. Hey, guys, thank you both for the, you know, people don't realize it's a lot of work working for an O-Lasp, a Linux foundation. And just because they have the nonprofit name on there doesn't mean everyone A works for free or B, that people don't really bust their butts working on these things. So thank you both for what you're doing. And, you know, I know how hard you are on it, Andrew. And Steve, it sounds like you're doing a bang up job. So thank you.