Re: FINAL REMINDER: OpenChain Security Guidance Document - Last Call

Nicole Pappler

Hi all,

I went through the security addendum, and what I'm now really wondering is, shouldn't we address the existence of the other existing security standards? Like IEC 62443 or ISO 21434? I know we'd like to focus on the open source part, but as realistically there are software components shipped down the supply chain that exist of both open source and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the existing applicatition specific security standards? That they need to evaluate if they are applicable to their scope? Not sure if we should make it a hard requirement, but I'm afraid that completely ignoring existing standards would weaken the OpenChain statement here - as people might say, I have to adhere to to IEC/ISO 62443 anyway, why bother with the OpenChain security addendum at all...

I'd love to discuss this in today's call, but unfortunatly I'm already of to another appointment...



Am 10.08.21 um 07:40 schrieb Shane Coughlan:

We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.

Nicole Pappler
email: nicole.pappler@...
mobile: +49 15156078183

PAPPSTARpromotion GmbH
Nürnberger Str. 2
91717 Wassertrüdingen

Sitz der Gesellschaft: Wassertrüdingen Registergericht: Amtsgericht Ansbach, HRB 7127
Geschäftsführer: Prof. Dr. Andreas Bärwald

Join { to automatically receive all group messages.