Featured

The OpenChain Project has a mission to establish trust in the Open Source from which Software Solutions are built. The International Standard OpenChain ISO 5230 addresses this matter from the perspective around open source license compliance. Many of the same processes are equally applicable to open source security and for this reason we are providing guidance regarding how they can be applied.

The OpenChain Security Assurance Reference Guide 1.0 has a similar format to OpenChain ISO 5230. It can be regarded as a map enabling a user to transpose the proven processes of ISO 5230 to the security domain. This first iteration of the reference guide focuses on the core process of identifying and addressing “known vulnerabilities.” Over time we will evolve the guide to refine its effectiveness.

The OpenChain Security Assurance Reference Guide should be understood as a method to complement rather than compete with security specific standards. It is quite possible that an organization is compliant with another given standard will automatically meet all the processes outlined in the OpenChain Security Assurance Reference Guide. This is by design.

As the OpenChain Project adds additional reference guides over time (e.g., quality, export compliance, malware and functional safety) the value of OpenChain ISO 5230 will grow. This work – as with all activity inside the OpenChain Project – will be undertaken by the community of user companies for the benefit of the community.

Get The Reference Guide

• https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/1.0

Send Feedback To The Specification Team

• https://lists.openchainproject.org/g/specification

Sony Semiconductor Solutions, a global leader in advanced technologies of image sensor, has announced an OpenChain ISO 5230 conformant program.

“As a global leader of imaging & sensing technology, Sony Semiconductor Solutions Corporation adopted the OpenChain standard early in the lifecycle in 2019. We have operated a quality management system including OSS license compliance so that our customers can use our products and services with confidence,” says Dai Sugimoto, Quality Officer of Sony Semiconductor Solutions Corporation. “We are delighted to continue our engagement by announcing conformance to OpenChain ISO/IEC 5230. This International Standard offers a clear signal that a company uses industry best practices in managing open source license compliance. We believe it is important for our company and our supply chain.”

“Sony Semiconductor is a prime example of the very heart of the supply chain,” Shane Coughlan, OpenChain General Manager. “They play a critical part in ensuring advanced products get to market, and they do so with a continuing commitment to excellence. OpenChain ISO 5230 conformance is another step in this process, ensuring the highest quality of open source compliance program. We look forward to collaborating deeply in the months and years to come.”

About Sony Semiconductor Solutions Corporation

Sony Semiconductor Solutions Corporation is the global leader in image sensors. Our semiconductor business also includes a variety of other parts including microdisplays, LSIs, and laser diodes. We strive to provide advanced imaging technologies that bring greater convenience and fun to people’s lives. In addition, we also work to develop and bring to market new kinds of sensing technologies with the aim of offering various solutions that will take the visual and recognition capabilities of both human and machines to greater heights. For more information, please visit: https://www.sony-semicon.co.jp/e/

About OpenChain

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. 

Linux is a registered trademark of Linus Torvalds.

Cybellum, a leader in embedded product security and license compliance management for mission critical industries, is the latest vendor to join the OpenChain Project partner program. 

Their engagement will focus on raising awareness among user companies regarding open-source license compliance and security, while ensuring they have freedom of choice when considering commercial automation solutions around ISO/IEC 5230 conformance activities. ISO/IEC 5230 is the International Standard for open-source license compliance.

“Cybellum has been actively supporting automotive, medical-device and industrial IoT manufacturers with automation around security and compliance of their products,” says Shane Coughlan, OpenChain General Manager. “We look forward to collaborating with Cybellum in raising awareness and in providing support as companies around the world integrate ISO/IEC 5230 into their supply chains. We also invite companies to engage with the OpenChain Project directly via our regular calls, mailing list and events.”

“With the current software supply chain security challenges, organizations like OpenChain are a key for proper collaboration across the value chain, especially when representing a software bill of materials. We’re thrilled to join OpenChain, which is widely adopted by the industry and will be the driving force for creating a quality open-source compliance program within organizations” says Slava Bronfman, CEO of Cybellum.

About Cybellum

Cybellum empowers connected device manufacturers and their suppliers to identify and remediate security risks at scale, throughout the entire product life cycle. Our agentless solution scans embedded software components without needing access to their source code, exposing all cyber vulnerabilities. Manufacturers can then take immediate actions and eliminate any cyber risk in the development and production process, before any harm is done, while continuously monitoring for emerging threats impacting product in operational use. Read more at www.cybellum.com

About the OpenChain Project

OpenChain began when a group of open-source compliance professionals met in a conference lounge and chatted about how so much duplicative, redundant open-source license compliance work was being done inefficiently in the software supply chain simply. They realized that while each company did the same work behind the scenes in a different manner the output for downstream recipients could not realistically be relied on because there was no visibility into the process that generated the output.

The answer the early principles of this discussion arrived at was to standardize open-source compliance, make it transparent and build trust across the ecosystem. The project began as outreach to the community with the idea of a new standard for open-source license compliance with slides titled, “When Conformity is Innovative.” A growing community quickly recognized the value of this approach and contributed to the nascent collaboration soon named The OpenChain Project.

Baker Botts, a leading provider of legal advice with a global presence, is the latest firm to become an official partner of the OpenChain Project, steward of OpenChain ISO 5230 – the International Standard for open source compliance.

“We are excited to announce a partnership with the OpenChain Project, author of the international standard for open source license compliance,” Paul Ragusa, partner in the firm and Chair of the AIPLA Standards and Open Source Committee. “This partnership recognizes the expertise and experience of Baker Botts’ Technology Transactions practice in handling a wide range of issues surrounding open source software.  Baker Botts recognizes the vast unmet need for software supply chain management, and has been at the forefront of advising clients on these issues for over a decade.  We consider OpenChain a leader in this field, and are excited to strengthen our practice by offering services to help our clients install high-quality open source compliance programs that are OpenChain compliant. We seek to provide all the support needed to show how investing in an open source compliance program can reduce risk and resolve traditional boundaries in software transactions and license enforcement.”

“Law firms are one of the most important parts of the OpenChain Partner ecosystem,” says Shane Coughlan, OpenChain General Manager. “It is both timely and uniquely well-timed to welcome Baker Botts to our community. With a pedigree reaching back to 1840, and a global presence at the forefront of legal developments, the team is excellently positioned to accelerate understanding and adoption of OpenChain ISO 5230 across the supply chain.”

Learn More:

• https://www.bakerbotts.com/news/2021/07/baker-botts-announces-partnership-with-the-openchain-project

About Baker Botts L.L.P.

Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients’ industries, we are recognized as a leading firm in the technology, energy, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.

About OpenChain

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. 

Linux is a registered trademark of Linus Torvalds.

The OpenChain Mini-Summit discusses all things OpenChain ISO 5230, as well as related projects and activities such as SPDX. You can expect a focus on security, Software Bill of Materials and automation. All welcome.

More details will be provided here shortly.

You can register to attend the event in person via the OSS + ELC 2021 website:
https://events.linuxfoundation.org/open-source-summit-north-america/features/co-located-events/
(This is the recommended way to attend the mini-summit)

You can also attend the event remotely through our Zoom room:
https://zoom.us/j/4377592799
Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Dial by your location

• +1 301 715 8592 US (Washington DC)
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 646 558 8656 US (New York)
• +1 669 900 6833 US (San Jose)
• +1 253 215 8782 US (Tacoma)
• 877 369 0926 US Toll-free
• 855 880 1246 US Toll-free
• +1 438 809 7799 Canada
• +1 587 328 1099 Canada
• +1 647 374 4685 Canada
• +1 647 558 0588 Canada
• +1 778 907 2071 Canada
• +1 204 272 7920 Canada
• 855 703 8985 Canada Toll-free

Meeting ID: 437 759 2799
Find your local number: https://zoom.us/u/awFnORNiA

2021-07-14 – SAN FRANCISCO – Over the past years, Bosch was actively involved in the forming and promoting the new ISO Standard. As an OpenChain conformant enterprise, Bosch rolled out its new corporate open source regulations requiring meeting all ISO5320 conditions concerning open source management processes and policies.

“With OpenChain we have a common framework and a common terminology for Open Source Compliance,” states Hans Malte Kern, Head of the Bosch Center of Competence Open Source. “A wide adaptation by companies across all industries could help to further expand seamless value chains. It is the key building block to establish trust in using Open Source.”

“Bosch is a pivotal company in the automotive sphere due to both its strong product portfolio and its stance as a dedicated, reliable partner,” says Shane Coughlan, OpenChain General Manager. “Their formal adoption of OpenChain ISO 5230 builds on years of productive engagement as a thought-leader in this space. We are delighted to collaborate on the next steps in improving the efficiency and effectiveness of the automotive software supply chain.”

About Bosch

The Bosch Group is a leading global supplier of technology and services. It employs roughly 395,000 associates worldwide (as of December 31, 2020). The company generated sales of 71.5 billion euros in 2020. Its operations are divided into four business sectors: Mobility Solutions, Industrial Technology, Consumer Goods, and Energy and Building Technology. As a leading IoT provider, Bosch offers innovative solutions for smart homes, Industry 4.0, and connected mobility. Bosch is pursuing a vision of mobility that is sustainable, safe, and exciting. It uses its expertise in sensor technology, software, and services, as well as its own IoT cloud, to offer its customers connected, cross-domain solutions from a single source. The Bosch Group’s strategic objective is to facilitate connected living with products and solutions that either contain artificial intelligence (AI) or have been developed or manufactured with its help. Bosch improves quality of life worldwide with products and services that are innovative and spark enthusiasm. In short, Bosch creates technology that is “Invented for life.”

About OpenChain

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. 

Linux is a registered trademark of Linus Torvalds.