The OpenChain Security Assurance Specification 1.0 is now available. This is the result of over one year of work throughout the global OpenChain community. It is applicable to an open source management activity related to security compliance. We regard this as adjacent but different to license compliance.
The OpenChain Project’s core mission is to build trust in the supply chain. Our flagship specification, ISO/IEC 5230:2020, is International Standard for Open Source Compliance and builds trust in that domain. It defines the key requirements of a quality open source compliance program. The natural next step is to identify the key requirements of a quality open source security assurance program.
Initially the scope of this specification is limited to ensuring that an organization vets open source with regards to known publicly available security vulnerability issues (e.g., CVEs, GitHub dependency alerts, package manager alerts and so on). The security assurance specification’s scope may expand over time based on community feedback.
This specification is built from the Security Assurance Reference Guide 2.0 (Release Candidate 1) published on 2022-03-28. That completed reference specification document went through a final approval process via editing on our specification list and calls, before graduating to a governing board vote to transform into this published security specification on 2022-09-14.
We will proceed to ISO/IEC JTC-1 PAS submission with an estimated completion date of circa mid-2023. In the meantime, our security assurance specification is ready for market adoption as a de facto standard.
Prior to the ISO/IEC JTC-1 PAS submission, we have some time for sanity-checks and minor adjustments. We begin that process today and will complete it on October 4th 2022 (2022-10-04). There are two tasks for the community ahead of that date:
- Check our Security Assurance Specification 1.0 against the Security Assurance Reference Guide 2.0 (Release Candidate 1) to ensure Sections 1, 2 and 3 match. You can find the Security Assurance Reference Guide 2.0 (Release Candidate 1) here:
- Check the OpenChain Security Assurance Specification 1.0 for any typographical errors that have snuck through our existing editing process. You can find the document linked at the start of this email or here:
You can submit issues highlighting areas you would like review on our GitHub repository. Please note, due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes.
In the coming days we will have broader distribution of the specification launch, including on social media and via blog posts. However, you can begin sharing it immediately with your teams and peers.
The scope of this reference specification may expand over time based on community feedback. However, comments and notes should be confined to the existing scope at this juncture. Our specification is complete barring minor adjustments for readability, editing and clarity.
This specification is licensed under Creative Commons Attribution License 4.0 (CC-BY-4.0). You can submit issues highlighting areas you would like review on our GitHub repository. Due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes. You can get more involved with our work beyond submitting issues via our community calls, mailing lists and events: https://www.openchainproject.org/community