OpenEoX

Two OASIS Standards Projects Receive Open Cup Award: OpenEoX and Genericode

Boston, MA, USA, 25 January 2024 — Winners of the tenth annual Open Cup, recognizing exceptional advancements in open standards and open source, were announced today. The Open Cup for Outstanding New Initiative was awarded to OpenEoX, a unified machine-readable approach to managing and sharing End-of-Life (EOL) and End-of-Support (EOS) information for software and hardware. The Open Cup for Outstanding Approved Standard was awarded to Code List Representation (genericode) V1.0. “Genericode” defines an XML format for the interchange, documentation and management of code lists. In addition, Kenneth Bengtsson and Rich Piazza were named as Distinguished Contributors for their significant impact on the OASIS community.

Open Cup Recipients

OpenEoX brings together major software and hardware providers from around the world to define a unified and efficient method to programmatically verify the EOL or EOS status of the products that businesses and individuals rely on. A standardized approach to EOL and EOS information will empower open source maintainers and vendors alike to deliver more accurate and reliable support to their users. OpenEoX can help reduce cybersecurity risk and susceptibility to vulnerabilities, enabling companies to quickly identify unsupported products. While frameworks like software bill of materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX) have made significant strides in improving information sharing and product lifecycle management, OpenEoX represents a critical step forward in unifying these efforts.

OpenEoX was chosen from a group of Open Cup finalists that included:

“Genericode,” named the Outstanding Approved Standard, was developed by the OASIS Code List Representation TC. The format serves as a unified semantic model for code lists and corresponding XML serialization and is designed to IT-enable and standardize the publication of machine-readable code list information, facilitating interchange between systems. Code lists, ranging from standardized items like country and currency abbreviations to nonstandardized ones exchanged between trading partners, find a standardized representation in genericode. Genericode was chosen from finalists that included PKCS 11 Specification V3.1 and PKCS #11 Profiles V3.1 from the PKCS 11 TC and OSLC Configuration Management V1.0 and OSLC Tracked Resource Set V3.0 from the OSLC OP.

Distinguished Contributors

Each year, the Distinguished Contributor designation is awarded to OASIS members who have made significant contributions to the advancement of open standards and/or open source projects. 

Bringing more than 25 years of global experience in IT and e-invoicing architecture, Kenneth Bengtsson has led infrastructure implementations across five continents. Currently serving as chair of the OASIS Business Document Exchange (BDXR) TC since 2012 and of the OASIS Universal Business Language (UBL) TC since 2019, Bengtsson has contributed to shaping industry standards with five OASIS Standards and an additional four OASIS Technical Specifications under his leadership and guidance.

“I am deeply honored to be named OASIS Distinguished Contributor. This recognition is truly meaningful and a testament to the collective efforts of all members of the UBL and BDXR Technical Committees,” said Kenneth Bengtsson. “I am grateful for the support and guidance from my fellow TC members and to the entire OASIS community for fostering an environment that values openness and collaboration. This award inspires me to continue advocating for OASIS and open standards, and I am committed to continuing my contributions.”

Richard Piazza has been working in the field of cyber security since 2010, when he rejoined MITRE after several years at IBM.  Since 2015 he has been deeply involved in the STIX specification effort as both a co-editor and a major software contributor.

“It was such a surprise to be named a Distinguished Contributor. I have been working with OASIS on STIX since 2015, including being co-editor of the STIX 2.1 specification,” said Rich Piazza. “I have been able to be a constant contributor to OASIS because it is part of my job at my company. Hats off to all the other contributors I have known through the years who have done amazing work despite also ‘having a day job.’” 

OASIS congratulates this year’s winners and nominees and is grateful for their generous contributions of time and expertise in advancing OASIS’ mission.

,

OASIS Launches Initiative to Standardize Machine-Readable End-of-Life Information Exchange for Software and Hardware

Boston, MA, USA, 14 December 2023 – OASIS Open, the international standards and open source consortium, announced the launch of OpenEoX, a global initiative to standardize the exchange of End-of-Life (EOL) and End-of-Support (EOS) information within the software and hardware industries. OpenEoX will provide a unified and efficient method to programmatically verify the EOL or EOS status of the products that businesses and individuals rely on. 

A standardized approach to EOL and EOS information will empower open source maintainers and vendors alike to deliver more accurate and reliable support to their users. OpenEoX can help reduce cybersecurity risk and susceptibility to vulnerabilities, enabling companies to quickly identify unsupported products. While frameworks like software bill of materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX) have made significant strides in improving information sharing and product lifecycle management, OpenEoX represents a critical step forward in unifying these efforts.

“It’s crucial for people to stay informed on the lifecycle status of the products and open-source software they rely on. OpenEoX addresses this challenge by providing a common framework that simplifies the process of managing and sharing End-of-Life and End-of-Support information across the industry,” said Omar Santos, co-chair of OpenEoX and Distinguished Engineer, Security & Trust, AI Security Research and Operations at Cisco Systems. “When I started the original work in OpenEoX, I recognized that for it to truly transform the industry, it needed to be advanced in OASIS Open.” 

“OpenEoX will help redefine the landscape of vulnerability management by streamlining the oversight of product lifecycles. This empowers organizations to proactively address security issues through efficient patching and product upgrades,” said Justin Murphy, OpenEoX co-chair and Vulnerability Disclosure Analyst at the U.S. Cybersecurity and Infrastructure Security Agency (CISA). “The machine-readable OpenEoX standard will pave the way for automation and integration with tools such as vulnerability scanners and SIEM systems. It will be able to offer a comprehensive overview of an organization’s security posture, contributing to more informed decision-making and enhanced risk mitigation. We look forward to continuing to work with OASIS Open and the broader vulnerability management community to build a path toward more efficient, automated and prioritized vulnerability management.”

Participation in OpenEoX is open to all through OASIS membership. OpenEoX invites software and hardware vendors; open source maintainers; technology consultants; business stakeholders reliant on technology products; international, federal, and local government organizations; and others to become part of this collective effort. For more information on OpenEoX, please visit https://openeox.org/

Support for OpenEoX

Huawei
“Huawei is proud to join the OpenEoX project and support the establishment of standardized software and hardware end-of-life and end-of-support programs. We understand the impact of rapid tech development on the industry and are committed to working with stakeholders to explore a standardized approach to EOL and EOS programs. This will streamline processes, reduce confusion, and ensure a smooth transition for consumers. We look forward to contributing to the health and sustainability of the entire hardware and software ecosystem!”
– Martin Xie, Director of Huawei Cybersecurity Transparency Center

Microsoft
“Standardizing how the industry performs End of Life/End of Support for developed software/services and their related direct and transitive dependencies is critical to the evolution of end-to-end software supply chain security. Microsoft is proud to contribute to this work, which achieves even more transparency in better-made software while further building trust with more informed consumers.”
– Brendan Burns, CVP, Azure OSS Cloud Native

Qualys
“Qualys has been helping enterprises assess their first-party & open-source software risks through our Enterprise TruRisk Platform and are pleased to partner with OpenEoX to build an open standard to do this at scale. Identifying End-of-Life (EOL) and End-of-Service (EOS) applications in hybrid environments is now a concern at the CIO level, not just for CISOs. The capability to measure, communicate, and, more importantly, eliminate risks stemming from such tech debt demands a collaborative effort involving cybersecurity vendors, software vendors, and IT departments within organizations. We’re pleased to collaborate with OpenEOX to facilitate this process.”
– Pinkesh Shah, CPO, Qualys

Red Hat
“As an open source solutions provider with a broad product portfolio, consistently communicating lifecycle information to our customers and partners can pose a challenge. With OpenEoX, Red Hat will be able to streamline that process, providing users with a more accurate and reliable view over the lifecycle of their technologies. This information, integrated with other components of the vulnerability assessment process, will complement data like VEX and SBOMs and help our users address and remediate potential security issues more quickly and efficiently.”
– Pete Allor, Sr. Director, Red Hat Product Security

Sophos
“In today’s dynamic world of cybersecurity threats, identifying the end stages of software and hardware—End-of-Life (EOL) and End-of-Support (EOS)—is critical. While tools like SBOMs, CSAF and OHDF have advanced the field, there is a vital need to address the lack of knowledge when products are no longer supported and the vulnerabilities they introduce. OpenEoX will help us solve this gap with a streamlined process for lifecycle management, minimizing risks from outdated technology. Sophos is excited work with the OpenEoX community to create a flexible framework that seamlessly melds with current standards and tools, streamlining the addition of EOL / EOS into the product lifecycle.”
– Mike Fraser, VP of Product Management of DevSecOps and Automation, Sophos

Introducing OpenEoX: Identifying the Risk of End-of-X in Products at Machine Speed

In the ever-evolving landscape of cybersecurity and supply chain security, it has become increasingly necessary to ensure the timely identification of End-of-Life (EOL) and End-of-Support (EOS) milestones for software or hardware. The current frameworks in place, including Software Bill of Materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX), have been making strides in enhancing the transparency and efficiency of cybersecurity processes. Despite these advancements, there exists a significant gap in the industry: the lack of a standardized method to programmatically ascertain the EOL/EOS status (i.e., EoX) of products, a gap more noticeable with open-source software. It is in this context that we introduce OpenEoX.

OpenEoX seeks to address this problem by facilitating a programmatic approach to identifying the endpoint of a product’s lifecycle. When software or hardware reaches EoX milestones, security vulnerabilities and functional bugs are not addressed. This significantly increases the risk of any organization. OpenEoX aims to foster a more transparent, efficient, and unified method that includes vendors, open-source maintainers, and consumers of technology. Our objective is not to introduce another isolated specification but to develop a lightweight schema that can integrate seamlessly into existing solutions such as SBOMs, VEX, asset and vulnerability management systems, among others.

OASIS Open recently announced the draft charter of the OpenEoX Technical Committee.

We are at a critical juncture where collaboration and collective effort are vital to shaping a standard that will serve the broader community. Many leading organizations including Microsoft, Cisco, Red Hat, Siemens, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s Federal Office for Information Security: BSI, and others are already engaged in this effort.

As we continue to make strides, we are extending an open invitation to those interested in joining this pioneering initiative. Join now! Your involvement will be instrumental in sculpting a new standard that promises to revolutionize the industry. We are eager to collaborate with industry experts around the world.

We encourage you to share this opportunity with other professionals and enthusiasts in the field. Your support in spreading the word will play a critical role in bringing together a community of like-minded individuals committed to fostering a safer and more secure digital environment.

We would like to invite you to our inaugural TC meeting on November 2nd. We strongly encourage you to become a member of the OpenEoX TC by October 26th, 2023, allowing you to contribute and participate in decision-making activities right from the beginning. Of course, you can choose to join the TC later as well. Both OASIS and the TC are enthusiastic about your engagement in this effort. Feel free to contact us at join@oasis-open.org for more information.

No results with the selected filters