Skip to main content
Category

security

OpenChain Webinar: AboutCode and Beyond – End-to-End SCA

By automation, community, legal, licensing, News, security, Webinar

This OpenChain Webinar digs into open source tooling with open data for open source compliance.

Full Overview From The Presenters

Ensuring software license and security compliance can be difficult. Managing open source components – especially their licensing, provenance, and vulnerability risk – is a critical part of Software Composition Analysis (SCA), which is now a prerequisite for modern organizations to comply with mandated SBOMs and other regulations.

Expensive, proprietary SCA solutions rely on proprietary data that can be outdated or just wrong. To make using open source easier for everyone, we need FOSS tools and open data for FOSS SCA. Philippe Ombredanne will explain how using 100% open source software and open data, the AboutCode stack offers a new approach for the practical management of open source software for licensing and vulnerability risks for organizations of all sizes.

Philippe will share how modular open source projects like ScanCode, VulnerableCode, and DejaCode fit together to identify components and their license, provenance, and known vulnerabilities, and aggregate this and SBOM data across products, teams, and organizations to address security, legal, and regulatory requirements for software license and security compliance in an integrated solution.

Philippe will also discuss exciting updates on new open source projects for better software supply chain integrity and security like CRAVEX, which delivers modern open source tools for developers to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world.

Get The Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-05-15.

Webinar: OFE Briefing on the Cyber Resilience Act

By Featured, legal, licensing, News, security, Webinar

This webinar is a special briefing lead by Ciarán O’Riordan, Senior Policy Advisor at OpenForum Europe (OFE), on European policy matters that impact open source, business processes and risk management. OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-04-23.

Webinar: LF Management & Best Practices Portal

By automation, community, legal, licensing, News, security, standards, Webinar

This webinar by Hilary Carter, SVP Research at The Linux Foundation, unpacked LF Management & Best Practices, the digital home where communities of “best practice” converge. Here, you’ll be able to find the standards, reference material, courses, live events and webinars, research, project communities, and the automation tools to help you start your project or organization’s open source journey, and to keep it on track!

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-04-09.

Webinar: Universal CVSS Calculator

By automation, News, security, Webinar

This webinar discusses a Universal CVSS Calculator released by {metæffekt} GmbH. The open-source online tool is intended to support the assessment of vulnerabilities with their various CVSS scores from multiple authorities. It was created due to the lack of CVSS calculators which could ingest multiple vectors with different CVSS versions and compare the scores consistently.

Read The Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #69, released on 2024-03-22.

Webinar: SPDX 3.1 – Services Profile Overview

By community, legal, licensing, News, security, standards, Webinar

Gary O’Neall of Source Auditor talked about how the new SPDX Services Profile proposal structures information. This profile is likely to have an important on business process management, as it covers topics far beyond open source compliance, with one example being fields for topics like Export Control. Gary’s deep background as a core contributor to the SPDX Project allowed him to contextualize this discussion from a historical perspective.

Webinar: VulnerableCode technical deep dive into VulnTotal

By automation, News, security, Webinar

The OpenChain Project ran a series of webinars about using open source tools for open source compliance ran between September and December 2021. They have been re-published in the main webinar series to improve discoverability. This episode explores how a tool called VulnTotal can help with open source security management.

Philippe Ombredanne from nexB lead a technical deep dive into VulnTotal on the 7th of February 2023. It was about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. Called VulnTotal, it came out of Google Summer of Code 2022:

VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)

VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #68, released on 2024-02-01. It was originally published as “Automation Case Study #7 – VulnerableCode technical deep dive into VulnTotal” on 2023-02-07.

Webinar: Complexities of Open Source in Automotive

By community, licensing, News, security, Webinar

During our recent OpenChain Automotive Event we had some excellent talks. One that we decided to pull out of the main recording and release solo is ‘Complexities of Open Source in Automotive’ by Russ Eling. This type of high level overview is an excellent starting point for people in complex manufacturing industries that want to use our open source standards for licensing and security.

About Russ and OSS Consultants

OSS Consultants is an official OpenChain Partner with decades of experience. Russ at OSS Consultants has offered his time to speak with anyone that has questions about managing use of open source – even if it is as simple as how to get started on your open source journey. Simply send an email to info@ossconsultants.com to schedule a time.

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #54, released on 2023-07-04.

Webinar: OpenSCA

By automation, community, licensing, News, security, Webinar

This webinar highlights a new open source tool for open source compliance and security that originates in China. This tool was created by a company called XMIRROR. The open source CLI offers SPDX support, so is immediate interest to tooling communities around the world, particularly from the perspective of integration with open source tooling frontend solutions.

Check Out The Recording

Check Out The Slides

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #53, released on 2023-06-29.

Webinar: An Overview of SPDX 3.0

By automation, community, licensing, News, security, standards, Webinar

This webinar features Alexios Zavras, Chief Open Source Compliance Officer at Intel Corporation and a long-term friend and collaborator around the OpenChain Project. This time the topic was SPDX 3.0, a significant generational update to SPDX, a sister standard to OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974.

SPDX is a Software Bill of Materials (SBOM) specification, so it operates one layer down from the fundamental processes outlined by OpenChain’s standards, and it provides an excellent way to meet our requirements for an SBOM to be used by companies. The second generation of SPDX has been an ISO/IEC standard for two years as ISO/IEC 5962. The third generation shows interesting promise as a way to manage license compliance, security and more.

Watch The Webinar

Check Out The Slides

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #50, released on 2023-04-31.