Introducing OpenEoX: Identifying the Risk of End-of-X in Products at Machine Speed
By Omar Santos, Cisco Security Research and Operations; OASIS Board Member; OASIS CSAF TC Chair
In the ever-evolving landscape of cybersecurity and supply chain security, it has become increasingly necessary to ensure the timely identification of End-of-Life (EOL) and End-of-Support (EOS) milestones for software or hardware. The current frameworks in place, including Software Bill of Materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX), have been making strides in enhancing the transparency and efficiency of cybersecurity processes. Despite these advancements, there exists a significant gap in the industry: the lack of a standardized method to programmatically ascertain the EOL/EOS status (i.e., EoX) of products, a gap more noticeable with open-source software. It is in this context that we introduce OpenEoX.
OpenEoX seeks to address this problem by facilitating a programmatic approach to identifying the endpoint of a product’s lifecycle. When software or hardware reaches EoX milestones, security vulnerabilities and functional bugs are not addressed. This significantly increases the risk of any organization. OpenEoX aims to foster a more transparent, efficient, and unified method that includes vendors, open-source maintainers, and consumers of technology. Our objective is not to introduce another isolated specification but to develop a lightweight schema that can integrate seamlessly into existing solutions such as SBOMs, VEX, asset and vulnerability management systems, among others.
OASIS Open recently announced the draft charter of the OpenEoX Technical Committee.
We are at a critical juncture where collaboration and collective effort are vital to shaping a standard that will serve the broader community. Many leading organizations including Microsoft, Cisco, Red Hat, Siemens, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s Federal Office for Information Security: BSI, and others are already engaged in this effort.
As we continue to make strides, we are extending an open invitation to those interested in joining this pioneering initiative. Join now! Your involvement will be instrumental in sculpting a new standard that promises to revolutionize the industry. We are eager to collaborate with industry experts around the world.
We encourage you to share this opportunity with other professionals and enthusiasts in the field. Your support in spreading the word will play a critical role in bringing together a community of like-minded individuals committed to fostering a safer and more secure digital environment.
We would like to invite you to our inaugural TC meeting on November 2nd. We strongly encourage you to become a member of the OpenEoX TC by October 26th, 2023, allowing you to contribute and participate in decision-making activities right from the beginning. Of course, you can choose to join the TC later as well. Both OASIS and the TC are enthusiastic about your engagement in this effort. Feel free to contact us at join@oasis-open.org for more information.