Our regular monthly call for North America / Asia saw some discussion around two key topics for the next generations of our specifications for license compliance and for security. One related to whether we need to be more prescriptive regarding the content of contribution policies, and another related to whether our existing approach to defining open source worked in both standards. The outcomes are covered in our recording and the slides from the meeting are also available.
Philippe Ombredanne from nexB will lead a technical deep dive into VulnTotal on the 7th of February at 09:00 CET (08:00 UTC). Join us in our usual room here:
This deep dive is about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. VulnTotal is something that came out of Google Summer of Code 2022:
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)
VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.
Bitsea, a service provider specialized in software auditing and based in Germany, today announces support for the OpenChain Security Assurance Specification 1.1. They can help companies understand and adopt this standard for open source security in Germany and beyond. As a sister standard to OpenChain ISO/IEC 5230 – the international standard for open source license compliance – the OpenChain Security Assurance Specification 1.1 offers the same type of support for building a quality security assurance program.
“For over 10 years Bitsea has provided services to help organizations identifying hidden risks in software systems and managing their open source software supply chain,” says Dr. Andreas Kotulla, Founder and CEO of Bitsea. “Our services guide organizations to adopt and conform to both ISO 5230 OpenChain and OpenChain Security Assurance.”
“Bitsea has long been a provider of excellent reputation in the open source area,” says Shane Coughlan, OpenChain General Manager. “Their new services to support adoption of the OpenChain Security Assurance Specification 1.1 are a timely and useful contribution to the community in Germany and beyond. Open source security is a vital part of the global supply chain, and solid process management is key to addressing the ongoing challenges.”
About Bitsea
Big software systems are like a wild wide ocean of bits – our passion is to analyse and visualize software structure. We are keen to help our customers how to stabilize and optimize their systems. We assess software. We analyze, evaluate and optimize your development processes, software architecture and software design. We perform the technical due diligence for company takeovers. We reduce the economic risk by assessing open source components and ensure license compliance.
Our references include well-known Fortune 500 companies in communications, automotive, logistics, retail and aerospace industries. Highest standard for information security: We are VDA/ISA Tisax-certified since 2020. All data of our customers remain in Germany or, if required, in the territory of our customers. We are involved in the Bitkom Open Source working group. Bitsea is part of the OpenChain Community. We guarantee strictly confidential consulting in the context of technical due diligence for M&A activities.
Learn more:
https://bitsea.de/en/
About the OpenChain Project
The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
Learn more:
https://www.openchainproject.org
About The Linux Foundation
The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.
Learn more:
https://www.linuxfoundation.org
The next OpenChain Webinar will feature OSSelot, an open source curation database recently launched by OSADL in Germany. This project features one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.
Learn more at 09:00 CET (08:00 UTC) on the 24th of January.
This webinar will be held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799
Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00
Compare timezones:
https://www.worldtimebuddy.com
Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA
Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799
Our first monthly meeting of the year contained some great discussion about the spec with oversight by Co-Chair Helio (we worked on issues as usual) and Nathan also set the tone for future plans around the Education Work Group. It was a relatively small group due to the new year vacation ending unevenly around the world, but some substantive material was covered.
Please note that we also had a ton of interesting news to cover. Check out the slides for the details and the links to each item.
Watch The Recording
Check Out The Slides
Interneuron, a UK-based service provider to the British National Health Service (NHS), is the first company to formally announce an OpenChain Security Assurance Specification conformant program. This continues their history of engagement with open source standards – including previous adoption of OpenChain ISO/IEC 5230, the International Standard for open source license compliance.
“We have worked with Interneuron from when they were a start-up,” says Martin Callinan, Director at Source Code Control Limited. “From the outset we implemented a secure by design approach to the management of open source components used in their software development. It is hugely beneficial that OpenChain have created the Security Assurance Specification to provide guidance and benchmark the processes that have been implemented.”
“Interneuron has a long-term, focused approach on ensuring solutions provided to the NHS demonstrate excellence in sustainable, manageable ways as well as through providing technological solutions,” says Shane Coughlan, OpenChain General Manager. “Their previous adoption of OpenChain ISO/IEC 5230 aligned their company behind reproducible, standard processes. Their newly announced adoption of the OpenChain Security Assurance Specification continues this path, and covers one of the most critical domains in information technology. Their conformance, accomplished in conjunction with their support partner Source Code Control, is an important milestone for the global community as well. With the OpenChain Security Assurance Specification disseminating worldwide, companies like Interneuron provide a clear example of how and why to leverage this standard today.”
About Interneuron
Interneuron is a different kind of healthcare IT organization. We are a purpose driven company, Community Interest Company (CIC) that exists primarily for the benefit of those in need of health and social care. Interneuron projects aim to help NHS organizations replace their legacy technology with world-class clinical software that will revolutionize the way in which data is integrated, stored and used.
Interneuron’s open source philosophy is to make this new technology freely available. NHS Trusts will be able to download, test and implement the software, or receive support from Interneuron if that is preferred
Learn more:
https://www.interneuron.org
About Source Code Control
Founded in 2014 by Martin Callinan, Source Code Control has established itself as one of the only Open Source and Cloud Transformation consultancy businesses. We help organizations who have software at the core of their company value, build trust in software supply chains and simplify the cloud transformation process. With this in mind, our main aim is to minimize an organization’s risk when dealing with open source and cloud software.
Learn more:
https://sourcecodecontrol.co
About the OpenChain Project
The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
Learn more:
https://www.openchainproject.org
About The Linux Foundation
The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.
Learn more:
https://www.linuxfoundation.org
The OpenChain Security Assurance Specification 1.1 has been building momentum as a sister specification to ISO/IEC 5230:2020, the International Standard for open source license compliance. With an identical approach to high level process management, the OpenChain Security Assurance Specification is designed to help companies adopt the key requirements of a quality open source security assurance program.
Self-certification is available in English, German and Simplified Chinese. In addition, the following companies have announced services to support adoption of this specification. Three of these organizations are OpenChain Project official third-party certifiers, and all of these companies provide onboarding, adoption and review services across the global supply chain.
CAICT (Mainland China)
CAICT is an official OpenChain Project partner and one of our third-party certifiers with a regional service offering.
- CAICT OpenChain Security Assurance Specification services in Simplified Chinese:
https://mp.weixin.qq.com/s/IdmxXc6uwV9ll1Xqo2KyZw
Bureau Veritas (Taiwan, Worldwide)
Bureau Veritas is an official OpenChain Project partner and one of our third-party certifiers with a global service offering.
- Bureau Veritas OpenChain Security Assurance Specification services in English:
https://ee.bureauveritas.com.tw/BVInternet/Product/46;mainIDX=20?lang=en - Bureau Veritas OpenChain Security Assurance Specification services in Traditional Chinese:
https://ee.bureauveritas.com.tw/BVInternet/Product/46;mainIDX=20?lang=tw
PwC (Germany, Worldwide)
PwC is an official OpenChain Project partner and one of our solution providers and third-party certifiers with a global service offering.
- PwC OpenChain Security Assurance Specification services in English:
https://www.pwc.de/en/opensource
(Under ‘Consulting & Implementation’ and ‘Audit & Certification’)
Orcro (UK, Worldwide)
Orcro is an official OpenChain Project partner and one of our solution providers and third-party certifiers with a global service offering.
- Orcro OpenChain Security Assurance Specification services in English:
https://orcro.co.uk/services/openchain-security-assurance/
Source Code Control (UK, Worldwide)
Source Code Control is an official OpenChain Project partner and one of our solution providers with a global service offering.
- Source Code Control OpenChain Security Assurance Specification services in English:
https://sourcecodecontrol.co/security-assurance/
OSS Consultants (USA, Worldwide)
OSS Consultants is an official OpenChain Project partner and one of our solution providers with a global service offering.
- OSS Consultants OpenChain Security Assurance Specification services in English:
https://ossconsultants.com/open-chain-conformance/
The OpenChain Security Assurance Specification 1.1 is now available in Simplified Chinese. This translation was created by Zhang Jun Xia from the China Academy of Information and Communications Technology (翻译人:张俊霞,中国信息通信研究院). Zhang Jun Xia previously contributed the Simplified Chinese self-certification checklist for this specification.
The GitHub version is stored as MarkDown, a type of text format. Do you want to download it in different formats?
Please note that we are always glad to have review for any errors in the translations we provide, and we are always glad to receive new translations. We work via GitHub and you can find the OpenChain Security Assurance Specification repository here:
The OpenChain Project has invested resources throughout 2022 towards improving the sustainability and continuity of our project. As part of this, the OpenChain Project Governing Board decided to initiate a chairperson election. This initiative was lead by David Marr of Qualcomm, our founding chairperson, and was designed to introduce processes for a predictable cycle of leadership rotation at the very top of the project management structure.
Jimmy Ahlberg of Ericsson was duly elected OpenChain Project Governing Board Chair on the 8th of December by his peers, the voting members of the OpenChain Project Governing Board. The board is made up of one voting representative from each of the Platinum Member companies. We currently have 24 Platinum Members spread across three continents, providing one of the most geographically diverse boards in our industry.
The OpenChain Board Chair is a pivotal position. As with everything in this project, it is a position that offers influence but not control, though in this case the influence is specifically targeted towards our long-term strategic future. Jimmy has been elected for a period of three years.
As the steward of two industry standards, one of which already has an ISO/IEC grant, the OpenChain Project Governing Board has a responsibility to ensure stability and sustainability. From fiscal decisions to overarching strategy, they meet once a quarter to assess our status and future steps. Because this is an open source project, their decisions are not taken in isolation. Our community has tremendous latitude and influence on this project, and our board has tremendous respect for what that means.
Jimmy is stepping into the role with the continued support of David and the rest of the OpenChain Project Governing Board, and our fundamental strategy remains consistent. This said, we expect and look forward to Jimmy making his mark as new chairperson, and innovating around our top-level strategy based on his insight, experience and corporate background.
If you have questions, comments or suggestions directed towards Jimmy, don’t hesitate to connect with him on one of our monthly calls, via our mailing lists or by direct mail. The leadership of the OpenChain Project is here to serve you, the community seeking to build trust in the supply chain.
To end this lengthy post, please note that the OpenChain Project Governing Board formally thanks David Marr for his exceptional work in founding and growing this project. He first brought people together to discuss the concept of standardization around open source license compliance eight years ago, and it takes a special type of determination and community-building to turn that into an executed ISO/IEC standard. It is also thanks to David that we have expanded our activities based on community feedback to other aspects of a trusted supply chain. His impact has been and continues to be immeasurable.
The OpenChain Security Assurance Specification 1.1 is now available in German. Self-certification is also available via checklists and questionnaires. Huge thanks to Katharina and the rest of the the team at PwC for making this happen.
Get the OpenChain Security Assurance Specification 1.1 in German:
Self-Certify to the OpenChain Security Assurance Specification 1.1 in German via a checklist:
Self-Certify to the OpenChain Security Assurance Specification 1.1 in German via a questionnaire:
If you self-certify, you can be listed on the OpenChain Project website alongside your peers. This is optional but recommended as a useful exercise for the supply chain. Contact us to get the free process underway.
Self-certification for the Security Assurance Specification 1.1 is now available in English, Simplified Chinese and German. More languages are expected to be made available soon.
