Shane Coughlan

The OpenChain Project has a mission to establish trust in the Open Source from which Software Solutions are built. The International Standard OpenChain ISO 5230 addresses this matter from the perspective around open source license compliance. Many of the same processes are equally applicable to open source security and for this reason we are providing guidance regarding how they can be applied.

The OpenChain Security Assurance Reference Guide 1.0 has a similar format to OpenChain ISO 5230. It can be regarded as a map enabling a user to transpose the proven processes of ISO 5230 to the security domain. This first iteration of the reference guide focuses on the core process of identifying and addressing “known vulnerabilities.” Over time we will evolve the guide to refine its effectiveness.

The OpenChain Security Assurance Reference Guide should be understood as a method to complement rather than compete with security specific standards. It is quite possible that an organization is compliant with another given standard will automatically meet all the processes outlined in the OpenChain Security Assurance Reference Guide. This is by design.

As the OpenChain Project adds additional reference guides over time (e.g., quality, export compliance, malware and functional safety) the value of OpenChain ISO 5230 will grow. This work – as with all activity inside the OpenChain Project – will be undertaken by the community of user companies for the benefit of the community.

Get The Reference Guide

• https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/1.0

Send Feedback To The Specification Team

• https://lists.openchainproject.org/g/specification

Sony Semiconductor Solutions, a global leader in advanced technologies of image sensor, has announced an OpenChain ISO 5230 conformant program.

“As a global leader of imaging & sensing technology, Sony Semiconductor Solutions Corporation adopted the OpenChain standard early in the lifecycle in 2019. We have operated a quality management system including OSS license compliance so that our customers can use our products and services with confidence,” says Dai Sugimoto, Quality Officer of Sony Semiconductor Solutions Corporation. “We are delighted to continue our engagement by announcing conformance to OpenChain ISO/IEC 5230. This International Standard offers a clear signal that a company uses industry best practices in managing open source license compliance. We believe it is important for our company and our supply chain.”

“Sony Semiconductor is a prime example of the very heart of the supply chain,” Shane Coughlan, OpenChain General Manager. “They play a critical part in ensuring advanced products get to market, and they do so with a continuing commitment to excellence. OpenChain ISO 5230 conformance is another step in this process, ensuring the highest quality of open source compliance program. We look forward to collaborating deeply in the months and years to come.”

About Sony Semiconductor Solutions Corporation

Sony Semiconductor Solutions Corporation is the global leader in image sensors. Our semiconductor business also includes a variety of other parts including microdisplays, LSIs, and laser diodes. We strive to provide advanced imaging technologies that bring greater convenience and fun to people’s lives. In addition, we also work to develop and bring to market new kinds of sensing technologies with the aim of offering various solutions that will take the visual and recognition capabilities of both human and machines to greater heights. For more information, please visit: https://www.sony-semicon.co.jp/e/

About OpenChain

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. 

Linux is a registered trademark of Linus Torvalds.

Cybellum, a leader in embedded product security and license compliance management for mission critical industries, is the latest vendor to join the OpenChain Project partner program. 

Their engagement will focus on raising awareness among user companies regarding open-source license compliance and security, while ensuring they have freedom of choice when considering commercial automation solutions around ISO/IEC 5230 conformance activities. ISO/IEC 5230 is the International Standard for open-source license compliance.

“Cybellum has been actively supporting automotive, medical-device and industrial IoT manufacturers with automation around security and compliance of their products,” says Shane Coughlan, OpenChain General Manager. “We look forward to collaborating with Cybellum in raising awareness and in providing support as companies around the world integrate ISO/IEC 5230 into their supply chains. We also invite companies to engage with the OpenChain Project directly via our regular calls, mailing list and events.”

“With the current software supply chain security challenges, organizations like OpenChain are a key for proper collaboration across the value chain, especially when representing a software bill of materials. We’re thrilled to join OpenChain, which is widely adopted by the industry and will be the driving force for creating a quality open-source compliance program within organizations” says Slava Bronfman, CEO of Cybellum.

About Cybellum

Cybellum empowers connected device manufacturers and their suppliers to identify and remediate security risks at scale, throughout the entire product life cycle. Our agentless solution scans embedded software components without needing access to their source code, exposing all cyber vulnerabilities. Manufacturers can then take immediate actions and eliminate any cyber risk in the development and production process, before any harm is done, while continuously monitoring for emerging threats impacting product in operational use. Read more at www.cybellum.com

About the OpenChain Project

OpenChain began when a group of open-source compliance professionals met in a conference lounge and chatted about how so much duplicative, redundant open-source license compliance work was being done inefficiently in the software supply chain simply. They realized that while each company did the same work behind the scenes in a different manner the output for downstream recipients could not realistically be relied on because there was no visibility into the process that generated the output.

The answer the early principles of this discussion arrived at was to standardize open-source compliance, make it transparent and build trust across the ecosystem. The project began as outreach to the community with the idea of a new standard for open-source license compliance with slides titled, “When Conformity is Innovative.” A growing community quickly recognized the value of this approach and contributed to the nascent collaboration soon named The OpenChain Project.