Skip to main content
Category

Featured

LG Electronics Announces OpenChain ISO/IEC DIS 18974 Conformant Program

By Featured, News

LG Electronics (LG) now has an OpenChain Security Assurance Specification 1.1 (ISO/IEC DIS 18974) conformant program. This standard defines the key requirements of a quality open source security assurance program, and helps to both reduce errors and increase efficiency across the global supply chain. This builds on their previous adoption of ISO/IEC 5230, the International Standard for open source license compliance.

“LG Electronics has a long history in open source and a well-known open source office,” says Shane Coughlan, OpenChain General Manager. “Their governance contributions like the FOSSLight tooling to help other companies has been an inspiration in South Korea and beyond. The conformance announcement today comes from the LG Cybersecurity Governance Team and underscores a company-wide commitment to excellence. As LG joins BlackBerry and Interneuron in driving the future of open source security assurance, we both welcome this announcement, and look forward to close collaboration in the future.”

Adoption of ISO/IEC DIS 18974 was driven by the LG Cybersecurity Governance Team. They are responsible for:

  • Establishing LG’s software development process (LG-SDL: Secure Development Lifecycle) to develop secure software for all LG Electronics products
  • Reflecting the latest Global Standards (ETSI, ENISA, NIST, etc.) and adapting them for the LG development ecosystem
  • Operating LG VulDOC (Vulnerability Detection Of Code) DevSecOps to Identify and resolve potential security vulnerabilities through various software verification methods 
  • Managing the LG Product Security Response Team (PSRT) to minimize security damage to our customers through authentic communication with security registrants and external stakeholders
  • Managing Third-Party developed software supply chain risk management

About LG Electronics

LG Electronics is a global innovator in technology and consumer electronics with a presence in almost every country and an international workforce of more than 74,000. LG’s four companies – Home Appliance & Air Solution, Home Entertainment, Vehicle component Solutions and Business Solutions – combined for global revenue of over KRW 80 trillion in 2022. LG is a leading manufacturer of consumer and commercial products ranging from TVs, home appliances, air solutions, monitors, service robots, automotive components and its premium LG SIGNATURE and intelligent LG ThinQ brands are familiar names world over.

About the OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance and the de-facto standard for open source security assurance. These allow companies of all sizes and in all sectors to adopt the key requirements of quality open source compliance or security assurance programs. They are open standards. All parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standards.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

ByteDance Announces OpenChain ISO/IEC 5230 Conformant Program

By Featured, News

ByteDance, a leading social media company, and the innovator behind TikTok, has announced an OpenChain ISO/IEC 5230 conformant program. Their adoption of the international standard for open source license compliance underlines their commitment to engagement and excellence around open source projects, platforms and solutions.

“We are delighted to welcome ByteDance to the OpenChain ISO/IEC 5230 community of conformance,” says Shane Coughlan, OpenChain General Manager. “Their team has created social networks with stunning speed of scaling in Douyin (抖音) and TikTok. This innovation has been powered by open source, and their work around building an Open Source Program Office (OSPO), communicating their work, and now using international standards speaks to a bright future. We are looking forward to next steps in our collaboration.”

Read Their Full Announcement In Simplified Chinese

ByteDance Website

About ByteDance

ByteDance was founded in 2012 by a team led by Yiming Zhang and Rubo Liang, who saw opportunities in the then-nascent mobile internet market, and aspired to build platforms that could enrich people’s lives. The company launched Toutiao, one of its flagship products, in August 2012. It followed that success with the launch of Douyin in September 2016. Approximately a year later, ByteDance accelerated globalization with the launch of its global short video product, TikTok. It quickly took off in markets like Southeast Asia, signaling a new opportunity for the company. ByteDance acquired Musical.ly in November 2017 and subsequently merged it with TikTok. Today, the TikTok platform, which is available outside of China, has become the leading destination for short-form mobile videos worldwide.

In support of its mission to Inspire Creativity and Enrich Life, ByteDance has made it easy and fun for people to connect with, create and consume content. People are also able to discover and transact with a suite of more than a dozen products and services such as TikTok, CapCut, TikTok Shop, Lark, Pico and Mobile Legends: Bang Bang, as well as products and services specific to the China market, including Toutiao, Douyin, Fanqie, Xigua, Feishu and Douyin E-commerce.

ByteDance has over 150,000 employees based out of nearly 120 cities globally, including Austin, Barcelona, Beijing, Berlin, Dubai, Dublin, Hong Kong, Jakarta, London, Los Angeles, New York, Paris, Seattle, Seoul, Shanghai, Shenzhen, Singapore, and Tokyo.

About the OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance and the de-facto standard for open source security assurance. These allow companies of all sizes and in all sectors to adopt the key requirements of quality open source compliance or security assurance programs. They are open standards. All parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standards.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

SAIC Z-ONE has adopted the ISO/IEC 5230 standard

By Featured, News

As a subsidiary of SAIC Group, SAIC Z-ONE Technology Co., Ltd always adheres to the research and development of smart car technology, provides customers with trustworthy and competitive solutions, products and services with an open and flexible cooperation model, and provides full life-cycle operation and maintenance upgrade services to empower customers to quickly build smart cars with differentiation capability, full-scene and ultimate experience.

SAIC is the leading automotive company in China in terms of scale, and as of 2022, SAIC has been the No. 1 in China in vehicle sales for 17 consecutive years.

Achieving ISO/IEC 5230 certification will help ensure that SAIC Z-ONE has a high-quality open source compliance program and requirements in place to effectively and efficiently use open source software in its supply chain and to align with high-quality global open source license compliance management practices.

“The announcement by SAIC Z-ONE provides an exceptional example of the evolving automotive industry,” says Shane Coughlan, OpenChain General Manager. “Cars are key outcomes of the software supply chain, and global leaders like SAIC have a clear, strategic vision for the future. Their engagement and their experience will help drive an improved ecosystem for the benefit of customers around the world.”

OpenChain Industry Survey 2023

By Featured, News

The OpenChain Industry Survey 2023 is now online.

Our annual OpenChain Industry Survey covers a big topic: the global status of corporate engagement and management of open source. It focuses on a ‘strategy’ perspective rather than a ‘development’ perspective. Our goal is to help inform corporate project, product and supply chain decisions in the year ahead.



We are collecting responses throughout April.


Your help in creating a snapshot of the current market is deeply appreciated. This will allow us to understand where to direct community resources and energy throughout 2023. We will post the results in May.

The English version of the OpenChain Industry Survey 2023 is based off the Japanese original. Kudos to everyone in the OpenChain Japan Work Group, especially Owada San and Fukuchi San!

Introducing ISO/IEC DIS 18974, Our Standard For Open Source Security Assurance

By Featured, News

The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification. It is a de-facto industry standard and a draft ISO/IEC international standard.

What Is This?

ISO/IEC DIS 18974 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1.

What Does It Do?

ISO/IEC DIS 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.

It identifies:

  1. The key places to have security processes
  2. How to assign roles and responsibilities
  3. And how to ensure sustainability of the processes

ISO/IEC DIS 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. Pending a successful ballot, it is expected to become a formal ISO/IEC International Standard in mid-2023.

What Should You Do?

From today, you can adopt ISO/IEC DIS 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023. The first company to announce a program using ISO/IEC DIS 18974 was Interneuron in the UK, and the first company to announce whole entity adoption was BlackBerry.

Learn More About The Standard



Adopt The Standard


Checklists




Questionnaires



Get Third-Party Support



Report Your Adoption



Share With Others



History

This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).

This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.


Past Versions of the Standard

Releases as a Specification



Releases as a Guide



Improving The Standard

ISO/IEC DIS 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.

You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.



Learn More About Our Standardization Status

Joint Development Foundation (JDF), the PAS Submitter used by the OpenChain Project, has provided our Draft International Standard (DIS) number for the OpenChain Security Assurance Specification 1.1. This is the number used in the JTC-1 PAS Transposition ballot process prior to the granting of formal ISO/IEC standard status and obtaining the related ISO/IEC number. The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification.

JDF has also received an update on the timing of our JTC-1 PAS Transposition ballot for DIS 18974, OpenChain Security Assurance Specification. We are currently scheduled for late March 2023. Pending a successful initial ballot, we are on schedule for having our formal ISO/IEC designation in mid-2023. Our expected ISO/IEC number for the OpenChain Security Assurance Specification 1.1 will be ISO/IEC 18974:2023. The formal name of the standard is expected to be ISO/IEC 18974:2023, OpenChain Security Assurance Specification.

CESI is the Latest OpenChain Partner and Third-Party Certifier

By Featured, News

China Electronics Standardization Institute (CESI) is the latest official partner of the OpenChain Project. From today, CESI is offering third-party certification around the standards produced by the OpenChain Project, with an initial focus on ISO/IEC 5230:2020, the International Standard for open source license compliance.

“The OpenChain Project is delighted to deepen our collaboration with CESI,” says Shane Coughlan, OpenChain General Manager. “CESI has an exceptionally important role in helping the world’s most populous country engage with, leverage and innovate around open source. Their new status as an official partner of the OpenChain Project opens doors for more companies in China to begin using our standards, and to begin benefiting from increased efficiency in their supply chains.”

“CESI is delighted to become an official partner of the OpenChain Project,” says Liyun Yang, Director of Cloud Computing Research Office. “We will offer third-party certification and assist in developing next generation versions of the OpenChain standards to help support Chinese companies, and the wider global supply chain.”

About CESI

Founded in July 1963, CESI is a nonprofit institution directly under the MII that is engaged in standardization, conformity assessment and measurement activities in the field of electronic information technologies. Authorized by government competent departments, CESI organizes the development of national and industry standards and participation in the international standardization activities in electronic information technologies. CESI provides product certification, quality system certification, experiments and tests, measurement and calibration as well as training for the public.

The objective of CESI is to become a world-renowned, domestically authoritative institution for standardization and conformity assessment in the field of electronic information technologies.

Learn More

TÜV NORD Taiwan is the latest OpenChain Partner

By Featured

TÜV NORD Taiwan is the latest official OpenChain Partner. TÜV NORD Taiwan was founded in 1988 and is one of the leading providers of quality, safety, information technology, and renewable energy solutions. The company has highly qualified employees and offers national and international customers the complete provide the one-stop service for local customers.

“We are delighted to being our official partnership with TÜV NORD Taiwan,” says Shane Coughlan, OpenChain General Manager. “The availability of certification and other support services is critical to ensure companies have options when using our standards for license compliance and security assurance. Especially in mission critical industries like automotive, the option of third-party certification alongside self-certification is vitally important.”

About TÜV NORD Taiwan

TÜV NORD Taiwan is one of the world’s largest technical service providers.

We owe our leading market position to our technical competence and a wide range of engineering support, testing and servicing activities in the Systems, Mobility, Certification, Energy, training and International Divisions.

With over 14,000 employees in more than 70 countries of Europe, Asia, America and Africa, the TÜV NORD GROUP is actively committed to its national and international customers. Its broad consulting, service and testing/inspection portfolio encompasses both specific individual tests/inspections and also management of complex safety solutions.

The TÜV NORD GROUP is made up of the following divisions: Mobility, Industrial Services, International, Natural Resources and Training and Human Resources. As a customer-oriented competence centre, it is in constant contact with its customers for analyzing, consulting, developing individual solutions and joint implementation with the customer.

TÜV NORD GROUP customers benefit from the broad, well-founded expertise of the consultants and inspectors. Through their understanding of the subject and the customer, the employees form the backbone of the company’s success.

Learn more: