Featured

Over the last 12 months there have been several noteworthy concerns around open source and security. The exposure of vulnerability in software has exposed underlying issues with process management and ultimately with sustainability. The OpenChain Project, steward of ISO/IEC 5230:2020, the International Standard for open source compliance, has been at the forefront of addressing these matters.

In August 2021 we responded to market demand by releasing a Security Assurance Reference Guide. The first version of this document explained how ISO/IEC 5230 could be used through the optics of security. Like all our documentation, it was developed and released in the public arena, and subject to review and contributions from a wide array of stakeholders.

We are now working on the second iteration of this document. It does for security what ISO/IEC 5230 did for compliance: it provides a minimal, broadly applicable list of key requirements to institute a quality assurance program to address the domain space.

We do not intend to replace existing security standards. We do not intend to bloat ISO/IEC 5230. Instead, we are pursuing our proven approach of developing a real-world solution for a real-world problem that can be immediately deployed, and over time fits together with adjacent activities as neatly as a jigsaw puzzle.

For those new to this topic and wondering what OpenChain’s engagement means in practice, a summary of our Specification Work Group discussions throughout 2020-2021 is in order.

We are considering three paths for the security domain. One sees the Security Assurance Reference Guide maintaining its stance solely as a guide. Another sees the Security Assurance Reference Guide evolve into a Reference Specification that may become a de facto industry standard over time. Lastly, there is the option to have the Security Assurance Reference Guide evolve into an optional component for a future iteration of ISO/IEC 5230.

You can contribute to this activity by joining our bi-weekly global work team calls [1], our specification mailing list [2], and opening issues on the relevant repository in GitHub [3].

1. https://www.openchainproject.org/community
2. https://lists.openchainproject.org/g/specification
3. https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/2.0

The OpenChain Project is far from alone in helping to address concerns around open source and security. The Open Source Security Foundation (OpenSSF) is a sister project at the Linux Foundation dedicated to securing the open source ecosystem. The Software Package Data Exchange Project (SPDX) maintains ISO/IEC 5962:2021, an International Standard for Software Bill of Materials. The Linux Foundation also hosts tools to help with automation in the space. We are collaborating to ensure the future of open source is secure.

You can expect a continuation of these activities throughout 2022. There will be an excellent opportunity for you to get involved during this quarter, as the OpenChain Project hosts a security summit to enable our extensive global community to share notes. To learn more about this, as well as our other activities, join one of our calls or one of our mailing lists. Everyone is welcome.

Get Started With Our Community

• https://www.openchainproject.org/community

Attend The OpenChain Security Summit On February 17th and 18th

• https://www.openchainproject.org/featured/2022/02/10/security-summit-2022

The Security Summit will take place on February 17th 2022 at 18:00 PST / February 18th 2022 02:00 UTC / 10:00 CST / 11:00 JST. It will be hosted on Zoom and it will be free to attend. It will also be recorded. You can expect to come away with a clear understanding of market conditions, how the Linux Foundation is addressing them, and where OpenChain fits into the picture.

The OpenChain Project will host three summits throughout 2022. Each summit will be virtual though our positioning and agenda will reflect a different geography for each topic covered. Here is what you can expect:

1. Security (North America) on the 17th and 18th of February depending on your location
2. Intellectual Property (China/Japan) – on the 17th and 18th of March depending on your location
3. Automation (Germany) – Schedule Announced Soon

The Security Summit will take place on February 17th 2022 at 18:00 PST / February 18th 2022 02:00 UTC / 10:00 CST / 11:00 JST. It will be hosted on Zoom and it will be free to attend. It will also be recorded. You can expect to come away with a clear understanding of market conditions, how the Linux Foundation is addressing them, and where OpenChain fits into the picture.

The Intellectual Property Summit will take place on March 17th 2022 at 18:00 PST / February 18th 2022 02:00 UTC / 10:00 CST / 11:00 JST. It will be hosted on Zoom and it will be free to attend. It will also be recorded. You can expect it to provide a snapshot of current thinking around copyright, trademarks and patents in our domain

The date and times of the Automation Summit will be announced shortly. You can expect it to brief you on the state-of-the-art around automation for compliance, security and project health.

The goal – as always – is to ensure you have the information necessary to make informed, effective decisions around the open source supply chain. We seek to build trust in the quality of programs used by you, your customers and your suppliers. We are proud to have taken significant strides in our field throughout 2021. We expect to push the boundaries of what is possible once again in 2022.

The OpenChain Japan Work Group will hold their 22nd meeting on the 21st of January. This meeting will take place between 15:00 and 16:00 with a case study covering Mercari’s Open Source Program Office (OSPO). Big thank you, as usual, to SocioNext for hosting us.

開催案内】【第22回全体会合（第9回オンライン会合）】
次回のOpenChain Japan Workgroup全体会合の開催案内です。第22回全体会合（第9回オンライン会合）を
2022年1月21日(金)15:00-16:00に開催します。
本講演は録画無しとなりますので、是非当日ご参加ください。場所(Venue)：Zoom
https://socionext.zoom.us/j/99975267803?pwd=ekhxaHA3bVZUSVU5M0dVMkF2Z0pkQT09
Meeting ID: 99975267803 / パスワード: ]>guXS~6アジェンダ：
15:00 – 15:02 Opening
15:02 – 15:10 Keynote   by ShaneCoughlan
15:10 – 15:20 OpenChain Japan WGについて
15:20 – 16:00 事例紹介: 「メルカリのOSPO立ち上げ事例」
　　　　　　　株式会社メルカリ
　　　　　　　Intellectual Property マネージャ弁理士
　　　　　　　上野英和
16:00 Closing今回は、事例紹介ということで、メルカリにおけるOSPO立ち上げ
を紹介して頂く予定です。 

Learn More About The Japan Work Group

• https://openchain-project.github.io/OpenChain-JWG/

Leading intellectual property firm, Marks and Clerk France is now able to advise clients in the implementation of open source programs, and enable them to achieve OpenChain ISO/ IEC 5230 standard.

To facilitate this advancement, Marks and Clerk France, is pleased to announce a partnership with the OpenChain Project, able to assess and advise on open source program to OpenChain ISO/ IEC 5230 standard.    

Open Source Software is becoming increasingly common in software projects of all types, bringing with it both exciting opportunities but legal risks. ISO 5230 OpenChain has been developed to allow companies of all sizes, and from all sectors, to adopt the key requirements of a quality open source compliance program, and effectively manage potential  risks. Marks and Clerk France offers considerable expertise and experience to support clients to strengthen existing processes, and build a standard compliant process from the ground up.

Enrico Priori, Managing Partner of Marks and Clerk France stated, “We are pleased to announce that Marks and Clerk France has been selected as the first OpenChain Acredited Partner in France. This partnership demonstrates the deep expertise and experience of Marks and Clerk France’s Software Licensing practice to support our clients in adopting high-quality open source compliance programs. As a firm, we are hugely committed to the strengths of the Open Source movement, and are excited to work with our clients to help them fully benefit from – and contribute to – this brave new world.”

“OpenChain ISO 5230 provides a compelling solution to quality open source compliance,” says Shane Coughlan, OpenChain General Manager. “OpenChain offers the freedom of choice for companies to conform via self-certification, independent assessment, or third party certification and we are delighted to name Marks and Clerk France as our first partner in the country.” 

About Marks and Clerk France

Marks & Clerk is the largest firm of intellectual property advisers in the UK and is recognised as one of the world’s leading IP firms.  Its patent and trade mark attorneys offer a full range of intellectual property services – covering patents, trade marks, designs and copyright – for clients ranging from SMEs and spinouts to universities and multinationals. 

Marks and Clerk France was founded in 2005 as a spin-out of the in-house Intellectual Property Law department of a major French Aerospace and Defense Group. These in-house origins have left the firm with an exceptional grasp of the needs and priorities of their clients, which has been further reinforced over the intervening years by the arrival of other professionals with a similar industrial background. This in turn has led to the accumulation of a unique expertise in the management of the risks and opportunities associated with the use of Open Source material in a commercial context.

For more information contact Mark Bell mark.bell@fr.marks-clerk.com

or visit https://www.marks-clerk.com/expertise/open-source-third-party-code/

About OpenChain

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

“It is with great pleasure that we welcome Chris and the rest of the team at Fieldfisher to the OpenChain Partner ecosystem,” says Shane Coughlan, OpenChain General Manager. “The availability of legal support is a vital part of ensuring an effective, efficient supply chain, and in the context of process management it can dramatically reduce uncertainty when rolling out an OpenChain ISO/IEC 5230 conformant program.”

“I am delighted to be working with OpenChain and, in doing so, supporting our clients to achieve better governance when it comes to open technologies,” says Chris Eastham, Partner, Fieldfisher.

About Fieldfisher

Fieldfisher is an exciting, forward-thinking organisation with key sector specialisms in technology, financial services, energy and natural resources, and life sciences.

In 2019, Fieldfisher was awarded a 5 star ranking for client service by The Legal 500. It was one of only five firms in the top 25 list of UK-headquartered firms to receive 5 stars based on client feedback. In 2021, our Technology and Privacy practices were top ranked as Tier 1 and Band 1 in the Legal 500 and Chambers rankings respectively, recognised as one of Europe’s leading law firms in these practices.

We regularly support the world’s biggest organisations and some of the most exciting growth companies. Our clients trust us with work that can have a huge impact on their business or organisation. 

We are a law firm built around people with all their diversity, and we strike a healthy balance between legal excellence and a down-to-earth practical approach to our clients’ needs. 

OpenChain ISO/IEC 5230:2020 has a positive and active relationship with the security sector. Onward Security is our latest official partner and will bolster this part of our ecosystem support.

“Most IoT devices are developed with open source software, and the lack of security by design during product development and the integration of vulnerable third-party OSS into IoT devices are potentially fatal problems. Onward Security is pleased to partner with OpenChain to assist with ISO/IEC 5230 compliance assessment by offering HERCULES SecSAM, a Security Assessment Management platform, as well as security compliance services,” said Morgan Hung, General Manager of Onward Security.

“The OpenChain Project released a Security Assurance Reference Guide in August to address market demand. While our ISO/IEC standard is focused on open source license compliance, the inflection points it identifies are equally application to successful security process management,” says Shane Coughlan, OpenChain General Manager. “Our new relationship with Onward Security is another part of the larger picture to ensure every company, in every sector, of every size can get the information and support they need to excel.”

About Onward Security

Onward Security is a leading brand in cybersecurity compliance solutions for the Internet of Things. It has been selected as Best Cybersecurity Company – Asia Gold Winner by Cyber Security Excellence Awards. In addition to possessing an international IoT cybersecurity testing lab, it develops automated security assessment products with AI and machine learning features. It has been dedicating to helping customers in IoT/IIoT equipment manufacturing, finance, telecom, and other industries for fast obtaining security certification and effectively managing risks and vulnerabilities of open source software to ensure cyber and product security.

The Institute of Software of the Chinese Academy of Sciences (ISCAS) joins the OpenChain Partner Program as the second official OpenChain Third Party Certifier in China. This dramatically expands the services available to companies of all sizes in the region and beyond.

“China is the single most important market in the global supply chain, and we are proud to start the year with a significant announcement underlying our progress in this region,” says Shane Coughlan, OpenChain General Manager. “Two key goals for China will be continuing to grow our local community of user companies, and continuing to ensure that the infrastructure to support their work continually improves. ISCAS is a partner we are delighted to work with in this regard.”

About ISCAS

Founded on March 1, 1985, the Institute of Software of the Chinese Academy of Sciences (hereinafter ISCAS) is a comprehensive research institute dedicated to the research and development of computer science theory and high and new technology of software.

ISCAS has computer science, computer software, computer application technology, and information security as the key disciplines. The discipline directions are computer science and software theory, basic software technology and systems, theories, methods and technologies of Internet information processing, and comprehensive information system technology.

ISCAS has actively participated in local and international exchanges and cooperation, established extensive scientific and technological exchanges and cooperation with many domestic provinces and cities, and more than 40 countries and regions such as the United States, Europe, Japan and Australia, and established branches in Guangzhou, Guiyang, Qingdao, Nanjing and other places.

Chinese Information Processing Society of China, the Algorithm Professional Committee of Chinese Association for Cryptologic Research, and the Software Definition Promotion Committee of Chinese Institute of Electronics are affiliated with ISCAS. The academic journals sponsored by the Institute include Journal of Software, Journal of Chinese Information Processing, Computer Systems & Applications, and International Journal of Software and Informatics.

Over the past 30 years since its establishment, especially since it entered the pilot project of knowledge innovation of Chinese Academy of Sciences, ISCAS has achieved fruitful results in the field of computer science and software, and won 49 achievements at or above the academy, provincial and ministerial level (only the first completing organization is counted), including 1 first prize, 2 second prizes and 1 third prize of the National Natural Science Award; 9 second prizes and 2 third prizes of the National Science and Technology Progress Award. It is particularly worth mentioning that the first National Natural Science Award in the field of computer science came from the Institute of Software.

The 12th meeting of the OpenChain Korea Work Group took place on December 20th and was absolutely packed with presentations and discussions. Check out the recordings below.

The OpenChain Project and the OpenChain ISO/IEC 5230:2020 international standard had an exceptional 2021. From conformance announcements to new members, it was clear that the market was ready to gather around a shared solution for effective, efficient use of open source in supply chains.

The question is “what next?”

The answer is “a lot.”

We have three new governing board members to announce, new certifiers, new partners, new conformant organizations and – perhaps most important for the long-term – deeper engagement on the policy level across multiple countries.

As a member of our community you can expect to continue receiving support from global and national work groups, ever improving material to help with the adoption and use of OpenChain ISO/IEC 5230:2020, and to be kept up-to-date on everything important in the compliance sphere via our webinars.

From a strategic perspective we are executing on the vision shared at the beginning of 2021: to scale engagement from thousands to tens of thousands of companies. With recent developments regarding open source, security and supply chain management the necessity of this is ever more clear.

There are three things to watch for in Q1 2022:

• The new board member announcements and their implications for geographies and sectors,
• Updated materials for suppliers to make OpenChain ISO/IEC 5230:2020 even easier,
• Announcements regarding how we will work even more closely with others in the compliance and security domain.

Thank you for all your support in 2021. I look forward to collaborating with you to make 2022 another milestone in our field.

As we head into the holiday season I wanted to take a moment and thank everyone for an exceptional year. The OpenChain Project has accomplished incredible things, from altering the status quo in the tooling landscape (and making it better) through to preparing our first online training course. Too many people to count assisted in this process. However, I wanted to give special thanks and acknowledgement to Mark Gisi, chairperson of the Specification Work Group. This year he lead an effort to conclusively bridge the gap between OpenChain ISO/IEC 5230 and the security domain. 

This work was far more than speculative: companies around the world began using our ISO/IEC standard to accomplish security goals, especially in light of recent international developments. The situation was both supported and challenged by the market reality of deployment before full community cohesion. For large companies this is never a serious concern, but for small companies trying to get up-to-speed it is our job (and our pleasure) to make sure they can match their peers, their suppliers and their customers as soon as possible.

Mark took this all in his stride and coordinated a multi-month effort with exceptional consensus to produce our Security Assurance Reference Guide in August. Since that date the guide has been available to all parties for review, and Mark further shepherded feedback from that review to determine if updates were needed in the near term. They were not, because you all hit it out of the ballpark, and we got this artifact to market at precisely the right time to address topics like the US Executive Order.

Mark, thank you.

Now, Mark is far from the only person who has done exceptional things. I want to particularly thank Balakrishna for shepherding our first online training course (with certification) through reviews by many, many parties. We go live on the 16th December, tomorrow, and change the market in that direction. The course, of course, is free. I also want to thank Oliver, who has been running the OpenChain Reference Tooling Work Group on a breathtaking schedule of bi-weekly meetings. The sheer amount of information collected and experience shared eclipses anything done before in that domain. And finally in this list (but not in terms of amazing contribution), I want to thank Max for running the OpenChain Automation Case Study, which took all the ingredients around the world, and showed how to make them turnkey, how to many them work in the supply chain, and how to contextualize it as business intelligence.

Shane Coughlan
OpenChain General Manager