Skip to main content
Category

Featured

Introducing ISO/IEC DIS 18974, Our Standard For Open Source Security Assurance

By Featured, News

The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification. It is a de-facto industry standard and a draft ISO/IEC international standard.

What Is This?

ISO/IEC DIS 18974 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1.

What Does It Do?

ISO/IEC DIS 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.

It identifies:

  1. The key places to have security processes
  2. How to assign roles and responsibilities
  3. And how to ensure sustainability of the processes

ISO/IEC DIS 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. Pending a successful ballot, it is expected to become a formal ISO/IEC International Standard in mid-2023.

What Should You Do?

From today, you can adopt ISO/IEC DIS 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023. The first company to announce a program using ISO/IEC DIS 18974 was Interneuron in the UK, and the first company to announce whole entity adoption was BlackBerry.

Learn More About The Standard



Adopt The Standard


Checklists




Questionnaires



Get Third-Party Support



Report Your Adoption



Share With Others



History

This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).

This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.


Past Versions of the Standard

Releases as a Specification



Releases as a Guide



Improving The Standard

ISO/IEC DIS 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.

You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.



Learn More About Our Standardization Status

Joint Development Foundation (JDF), the PAS Submitter used by the OpenChain Project, has provided our Draft International Standard (DIS) number for the OpenChain Security Assurance Specification 1.1. This is the number used in the JTC-1 PAS Transposition ballot process prior to the granting of formal ISO/IEC standard status and obtaining the related ISO/IEC number. The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification.

JDF has also received an update on the timing of our JTC-1 PAS Transposition ballot for DIS 18974, OpenChain Security Assurance Specification. We are currently scheduled for late March 2023. Pending a successful initial ballot, we are on schedule for having our formal ISO/IEC designation in mid-2023. Our expected ISO/IEC number for the OpenChain Security Assurance Specification 1.1 will be ISO/IEC 18974:2023. The formal name of the standard is expected to be ISO/IEC 18974:2023, OpenChain Security Assurance Specification.

CESI is the Latest OpenChain Partner and Third-Party Certifier

By Featured, News

China Electronics Standardization Institute (CESI) is the latest official partner of the OpenChain Project. From today, CESI is offering third-party certification around the standards produced by the OpenChain Project, with an initial focus on ISO/IEC 5230:2020, the International Standard for open source license compliance.

“The OpenChain Project is delighted to deepen our collaboration with CESI,” says Shane Coughlan, OpenChain General Manager. “CESI has an exceptionally important role in helping the world’s most populous country engage with, leverage and innovate around open source. Their new status as an official partner of the OpenChain Project opens doors for more companies in China to begin using our standards, and to begin benefiting from increased efficiency in their supply chains.”

“CESI is delighted to become an official partner of the OpenChain Project,” says Liyun Yang, Director of Cloud Computing Research Office. “We will offer third-party certification and assist in developing next generation versions of the OpenChain standards to help support Chinese companies, and the wider global supply chain.”

About CESI

Founded in July 1963, CESI is a nonprofit institution directly under the MII that is engaged in standardization, conformity assessment and measurement activities in the field of electronic information technologies. Authorized by government competent departments, CESI organizes the development of national and industry standards and participation in the international standardization activities in electronic information technologies. CESI provides product certification, quality system certification, experiments and tests, measurement and calibration as well as training for the public.

The objective of CESI is to become a world-renowned, domestically authoritative institution for standardization and conformity assessment in the field of electronic information technologies.

Learn More

TÜV NORD Taiwan is the latest OpenChain Partner

By Featured

TÜV NORD Taiwan is the latest official OpenChain Partner. TÜV NORD Taiwan was founded in 1988 and is one of the leading providers of quality, safety, information technology, and renewable energy solutions. The company has highly qualified employees and offers national and international customers the complete provide the one-stop service for local customers.

“We are delighted to being our official partnership with TÜV NORD Taiwan,” says Shane Coughlan, OpenChain General Manager. “The availability of certification and other support services is critical to ensure companies have options when using our standards for license compliance and security assurance. Especially in mission critical industries like automotive, the option of third-party certification alongside self-certification is vitally important.”

About TÜV NORD Taiwan

TÜV NORD Taiwan is one of the world’s largest technical service providers.

We owe our leading market position to our technical competence and a wide range of engineering support, testing and servicing activities in the Systems, Mobility, Certification, Energy, training and International Divisions.

With over 14,000 employees in more than 70 countries of Europe, Asia, America and Africa, the TÜV NORD GROUP is actively committed to its national and international customers. Its broad consulting, service and testing/inspection portfolio encompasses both specific individual tests/inspections and also management of complex safety solutions.

The TÜV NORD GROUP is made up of the following divisions: Mobility, Industrial Services, International, Natural Resources and Training and Human Resources. As a customer-oriented competence centre, it is in constant contact with its customers for analyzing, consulting, developing individual solutions and joint implementation with the customer.

TÜV NORD GROUP customers benefit from the broad, well-founded expertise of the consultants and inspectors. Through their understanding of the subject and the customer, the employees form the backbone of the company’s success.

Learn more:

OpenChain ISO/IEC Featured In Journal Of Software (软件学报)

By Featured, News

OpenChain ISO/IEC 5230:2020 is featured positively in the ‘Survey on Open-source Software Supply Chain Security’ published in the Journal Of Software (软件学报) Volume 33, Issue 3, 2023.

This article by JI Shou-Ling, WANG Qin-Ying, CHEN An-Ying, ZHAO Bin-Bin, YE Tong, ZHANG Xu-Hong, WU Jing-Zheng, LI Yun, YIN Jian-Wei and WU Yan-Jun is worth reading in full for insight from a key market space for open source.

In recent years, the vigorous development of open source software and the modern software development and supply models have greatly facilitated the rapid iteration and evolution of open source software, resulting in increased social benefits. The emerging collaborative software development model of open source has transformed the software development supply process from a relatively linear path to a complex network structure. Within open-source software’s complex and intertwined supply relationships, the overall security risk trend has significantly increased, drawing increasing attention from the academic and industrial communities. This work tries to define the new open-source software supply chain model and, based on attacks that have occurred over the past decade, summarizes the threat model and security trends of the open-source software supply chain. For securing the open-source software supply chain, this work provides a systematic overview from the perspectives of risk identification and reinforced defense and also highlight the new challenges and opportunities.

https://www.jos.org.cn/josen/article/abstract/6717

Want To Learn More About Journal Of Software?

The Journal of Software (ISSN 1000-9825) is a Chinese comprehensive academic journal of computer software which is jointly hosted by the Institute of software, the Chinese Academy of Sciences (ISCAS) and China Computer Federal (CCF). Founded in 1990, the Journal of Software focuses on the latest innovative high-level scientific and technological achievements of great significance in the field of computer software. It advocates academic democracy and promotes academic discussion and exchange of the researchers in and out of China.

Check out their website: https://www.jos.org.cn/josen/home?id=20171219032526650&name=Home

OpenChain Project One Slide Overview Updated

By Featured, News

The one slide overview of the OpenChain Project has been updated to provide simple, clear messaging about how and why our work provides value to companies in the supply chain.

This document is available in PDF format, PNG format, PPTX format or ODP format. You may take it, use it, share it and remix it freely using the terms of the CC0 license, effectively public domain.

You can help us improve this document, translate it and convert it into new formats through the OpenChain GitHub Reference Library. We are actively seeking a MarkDown version for ease of future iteration.

ISO/IEC 5230 One Pager Updated

By Featured, News

The ISO/IEC 5230 one page overview has been updated to provide simple, clear messaging about how and why the International Standard for open source license compliance provides value to companies in the supply chain.

This document is available in PDF format, PNG format or InDesign format. You may take it, use it, share it and remix it freely using the terms of the CC0 license, effectively public domain.

You can help us improve this document, translate it and convert it into new formats through the OpenChain GitHub Reference Library. We are actively seeking a MarkDown version for ease of future iteration.

OpenChain Export Control Work Group – Third Meeting – 2023-03-07 – Recording

By Featured, News

The OpenChain Export Control Work Group held its third meeting on the 7th of March at 08:00 UTC. The focus was on reviewing the new volunteer project being set up at https://github.com/crypto-law-survey to explore the continuation of Bert’s http://www.cryptolaw.org/ as a general community resource.

Collaborate with your peers on this topic:

OpenChain Webinar #49 – FOSDEM Recap

By Featured, News, Webinar

This OpenChain Webinar featured a FOSDEM recap by Philippe Ombredanne of NexB for everyone who did not attend the event in Belgium at the start of 2023. In 2023 FOSDEM had over 8,000 participants and 771 presentations, making it one of the largest open source events in the world by a large margin. This webinar will be of particular interest to people exploring open source tooling for open source compliance or security.