A Brief Introduction to OpenChain - June 2020
Download as PPTX, PDF0 likes229 views
The document outlines the OpenChain Project, which provides a framework for ensuring compliance in open source supply chains involving over 1400 members from various countries and a significant portion of Fortune 100 tech companies. It details self-certification processes, independent assessments, and third-party certification options to improve compliance and management practices for open source software. Additionally, it emphasizes collaboration among user companies to foster effective strategies for vulnerability management in software supply chains.
A Brief Introduction to OpenChain - June 2020
- 1. How do I trust my open source supply chain?
- 2. Context 2 1400+ Members From 41 Countries 80% of Fortune 100 Tech & Telecom 35,000+ Developers Contributing Code 170+ Open Source Projects $16B Shared Value This is the Linux Foundation
- 3. Open Compliance Program Solutions Processes Bill of Materials Tooling https://compliance.linuxfoundation.org/ SPS SPDX Tools
- 4. OpenChain Platinum Member Companies 4
- 5. The OpenChain Project defines the key requirements of a quality open source compliance program.
- 6. outbound upstream downstream inbound Training Policy Process OpenChain Defines Inflection Points
- 7. Result: Predictable B2B Compliance Activity
- 10. • Main List (3,700+ participants) • GitHub (105+ participants) • Automotive (115+ participants) • Reference Tooling (160+ participants) • China (105+ participants) • Japan (190+ participants) • Korea (40+ participants) • Taiwan (40+ participants) • India (40+ participants) • Germany (30+ participants) Work Groups + Lists + GitHub
- 11. Our Online Self-Certification Questionnaire
- 13. 13
- 14. 14
- 20. OpenChain in ISO – Formal Standardization The OpenChain Project has submitted our specification to ISO via Publicly Available Specification (PAS) in Joint Technical Committee 1 (JTC-1). The ISO submission is available at: • https://wiki.linuxfoundation.org/_media/openchain/openchainsp ec-2.1.draft.pdf Working in partnership with in partnership with Joint Development Foundation we expect to become a formal standard in Q3 2020.
- 21. The OpenChain standard can be met by: Self-Certification Independent Compliance Assessment Third Party Certification Freedom of Choice for Customers and Suppliers
- 22. Self-Certification is at the heart of the OpenChain industry standard. Companies can access a series of yes/no questions to determine if they have implemented the key requirements of a quality open source compliance program. These questions can be found here: https://certification.openchainproject.org Self-Certification
- 23. Independent Compliance Assessment works in the same was as the Independent Assessments in other standards. An independent party such as a law firm, consultancy or accounting firm reviews the product of an OpenChain Self-Assessment and offers guidance on whether they perceive it as complete. Independent Compliance Assessment
- 24. Third-Party Certification is a process whereby a certification authority guides a company through an OpenChain Conformance Process. The certification authority then issues a formal certification document. This activity maps precisely to the forms of third-party certification observed around automotive, infrastructure and similar fields. Third-Party Certification
- 25. The OpenChain industry standard has been carefully designed by user companies to identify the inflection points where a process, policy or training should be implemented in an open source compliance program. Our experience shows that self-certification is an effective method of reducing risk and increasing efficiency. That said, the choice of self-certification, independent compliance assessment or third-party certification depends on each business sector and customer base. We seek to provide freedom of choice.
- 26. OpenChain is run by user companies for user companies. This companies are collaborating to create clear, shared and effective approaches to managing open source code.
- 27. OpenChain is well positioned to support and improve supply chain management best practices applicable to vulnerability management. We currently have an active dialogue on how this can be accomplished and all parties are welcome to contribute.
- 28. Be Part of This Join our community: https://www.openchainproject.org/get-started Self-Certify or Health Check an organization: https://certification.openchainproject.org