Our 50th webinar will feature Alexios Zavras, Chief Open Source Compliance Officer at Intel Corporation and a long-term friend and collaborator around the OpenChain Project. This time the topic will be SPDX 3.0, a significant generational update to SPDX, a sister standard to OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974.
SPDX is a Software Bill of Materials (SBOM) specification, so it operates one layer down from the fundamental processes outlined by OpenChain’s standards, and it provides an excellent way to meet our requirements for an SBOM to be used by companies. The second generation of SPDX has been an ISO/IEC standard for two years as ISO/IEC 5962. The third generation shows interesting promise as a way to manage license compliance, security and more.
Our regular monthly meeting continued our work to edit the next generation of our license compliance and security assurance specifications. Our focus this time was on some open issues around the next generation of the Security Assurance Specification.
ISO/IEC DIS 18974 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1.
What Does It Do?
ISO/IEC DIS 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.
It identifies:
The key places to have security processes
How to assign roles and responsibilities
And how to ensure sustainability of the processes
ISO/IEC DIS 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. Pending a successful ballot, it is expected to become a formal ISO/IEC International Standard in mid-2023.
What Should You Do?
From today, you can adopt ISO/IEC DIS 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023. The first company to announce a program using ISO/IEC DIS 18974 was Interneuron in the UK, and the first company to announce whole entity adoption was BlackBerry.
This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).
This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.
ISO/IEC DIS 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.
You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.
Joint Development Foundation (JDF), the PAS Submitter used by the OpenChain Project, has provided our Draft International Standard (DIS) number for the OpenChain Security Assurance Specification 1.1. This is the number used in the JTC-1 PAS Transposition ballot process prior to the granting of formal ISO/IEC standard status and obtaining the related ISO/IEC number. The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification.
JDF has also received an update on the timing of our JTC-1 PAS Transposition ballot for DIS 18974, OpenChain Security Assurance Specification. We are currently scheduled for late March 2023. Pending a successful initial ballot, we are on schedule for having our formal ISO/IEC designation in mid-2023. Our expected ISO/IEC number for the OpenChain Security Assurance Specification 1.1 will be ISO/IEC 18974:2023. The formal name of the standard is expected to be ISO/IEC 18974:2023, OpenChain Security Assurance Specification.
China Electronics Standardization Institute (CESI) is the latest official partner of the OpenChain Project. From today, CESI is offering third-party certification around the standards produced by the OpenChain Project, with an initial focus on ISO/IEC 5230:2020, the International Standard for open source license compliance.
“The OpenChain Project is delighted to deepen our collaboration with CESI,” says Shane Coughlan, OpenChain General Manager. “CESI has an exceptionally important role in helping the world’s most populous country engage with, leverage and innovate around open source. Their new status as an official partner of the OpenChain Project opens doors for more companies in China to begin using our standards, and to begin benefiting from increased efficiency in their supply chains.”
“CESI is delighted to become an official partner of the OpenChain Project,” says Liyun Yang, Director of Cloud Computing Research Office. “We will offer third-party certification and assist in developing next generation versions of the OpenChain standards to help support Chinese companies, and the wider global supply chain.”
About CESI
Founded in July 1963, CESI is a nonprofit institution directly under the MII that is engaged in standardization, conformity assessment and measurement activities in the field of electronic information technologies. Authorized by government competent departments, CESI organizes the development of national and industry standards and participation in the international standardization activities in electronic information technologies. CESI provides product certification, quality system certification, experiments and tests, measurement and calibration as well as training for the public.
The objective of CESI is to become a world-renowned, domestically authoritative institution for standardization and conformity assessment in the field of electronic information technologies.
This article by JI Shou-Ling, WANG Qin-Ying, CHEN An-Ying, ZHAO Bin-Bin, YE Tong, ZHANG Xu-Hong, WU Jing-Zheng, LI Yun, YIN Jian-Wei and WU Yan-Jun is worth reading in full for insight from a key market space for open source.
In recent years, the vigorous development of open source software and the modern software development and supply models have greatly facilitated the rapid iteration and evolution of open source software, resulting in increased social benefits. The emerging collaborative software development model of open source has transformed the software development supply process from a relatively linear path to a complex network structure. Within open-source software’s complex and intertwined supply relationships, the overall security risk trend has significantly increased, drawing increasing attention from the academic and industrial communities. This work tries to define the new open-source software supply chain model and, based on attacks that have occurred over the past decade, summarizes the threat model and security trends of the open-source software supply chain. For securing the open-source software supply chain, this work provides a systematic overview from the perspectives of risk identification and reinforced defense and also highlight the new challenges and opportunities.
The Journal of Software (ISSN 1000-9825) is a Chinese comprehensive academic journal of computer software which is jointly hosted by the Institute of software, the Chinese Academy of Sciences (ISCAS) and China Computer Federal (CCF). Founded in 1990, the Journal of Software focuses on the latest innovative high-level scientific and technological achievements of great significance in the field of computer software. It advocates academic democracy and promotes academic discussion and exchange of the researchers in and out of China.
The one slide overview of the OpenChain Project has been updated to provide simple, clear messaging about how and why our work provides value to companies in the supply chain.
You can help us improve this document, translate it and convert it into new formats through the OpenChain GitHub Reference Library. We are actively seeking a MarkDown version for ease of future iteration.
The ISO/IEC 5230 one page overview has been updated to provide simple, clear messaging about how and why the International Standard for open source license compliance provides value to companies in the supply chain.
This document is available in PDF format, PNG format or InDesign format. You may take it, use it, share it and remix it freely using the terms of the CC0 license, effectively public domain.
You can help us improve this document, translate it and convert it into new formats through the OpenChain GitHub Reference Library. We are actively seeking a MarkDown version for ease of future iteration.
Our monthly North America / Europe meeting for March saw continued discussion around the OpenChain Specification Editing Process. Helio and Chris (Co-Chairs of the Specification Work Group) explored topics related to previously mentioned and new issues. Full recording below. All activity captured on GitHub.
