Date   

OpenChain Webinar Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

OpenChain Webinar Today:

We have a bit of a treat today. Helpful Engineering will discuss open innovation in the pandemic response with a focus on governance. Their case study will include a case study of an open source license violation (unpacking the situation, not naming names).

Learn more about this organization:
https://helpfulengineering.org/

Join the call:
https://zoom.us/j/4377592799

Need to confirm your timezone?
2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST


OpenChain ISO 5230 – Security Assurance Reference Guide Now Available

 

The OpenChain Project has a mission to establish trust in the Open Source from which Software Solutions are built. The International Standard OpenChain ISO 5230 addresses this matter from the perspective around open source license compliance. Many of the same processes are equally applicable to open source security and for this reason we are providing guidance regarding how they can be applied.

The OpenChain Security Assurance Reference Guide 1.0 has a similar format to OpenChain ISO 5230. It can be regarded as a map enabling a user to transpose the proven processes of ISO 5230 to the security domain. This first iteration of the reference guide focuses on the core process of identifying and addressing “known vulnerabilities.” Over time we will evolve the guide to refine its effectiveness.

The OpenChain Security Assurance Reference Guide should be understood as a method to complement rather than compete with security specific standards. It is quite possible that an organization is compliant with another given standard will automatically meet all the processes outlined in the OpenChain Security Assurance Reference Guide. This is by design.

As the OpenChain Project adds additional reference guides over time (e.g., quality, export compliance, malware and functional safety) the value of OpenChain ISO 5230 will grow. This work – as with all activity inside the OpenChain Project – will be undertaken by the community of user companies for the benefit of the community.

Get The Reference Guide
https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/1.0

Send Feedback To The Specification Team
https://lists.openchainproject.org/g/specification


Re: FINAL REMINDER: OpenChain Security Guidance Document - Last Call

Mark Gisi
 

Hi Nicole,

Thanks for the feedback. We briefly discussed your concern during the Specification working group meeting yesterday.

I know we'd like to focus on the open source part,
The Specification working group's mission is:
Establishing trust in the Open Source from which Software Solutions are built

but as realistically there are software components shipped down the supply chain that exist of both open source
and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the
existing application specific security standards?
It is true the focus is on the open source part of the hybrid solutions you referred to. Most software solutions of at least moderate complexity will typically include some % of open source. In many cases (IoT devices, SaaS) it could be between 70-90%. We initially focus on the core process of identifying "known vulnerabilities" in the open source part because it typically represents a large % and that is where much of the data about vulnerabilities exists. That is where most companies start from and invest most of their effort in. Being able to detect vulnerabilities in the self-developed code (i.e., the non-open source part) is a more complex problem with much less public data and hence lower return on investment.

Because our focus is about establishing trust in open source the initial focus should contribute to that. We anticipate we will broaden the scope overtime based on community feedback (such as yours).

62443 anyway, why bother with the OpenChain security addendum at all...
OpenChain will likely complement as opposed to compete with many other standards. It is quite possible that an organization is compliant with another given standard that will automatically make them compliant with the OpenChain security addendum. That is ok - a supplier can claim compliant with both standards (something many suppliers like to do). Because the lion share of the software of many suppliers is comprised of open source, OEMs/manufacturers have become very interested in the health and well-being of the open source part. The key is for a manufacturer to obtain assurance that their suppliers are handling open source correctly (with respect to license compliance and security assurance). As OpenChain adds additional assurances overtime (e.g., quality, export compliance, malware and functional safety) the more valuable the OpenChain compliance suite becomes. That is - OpenChain will be able to provide a one stop shop for open source assurance (trust) which is a powerful value proposition.

I'd love to discuss this in today's call, but unfortunately I'm already off to another appointment...
We look forward to your future participation. These are the kinds of concerns we need to be discussing.

best,
Mark

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: main@lists.openchainproject.org <main@lists.openchainproject.org> On Behalf Of Nicole Pappler
Sent: Monday, August 9, 2021 10:57 PM
To: OpenChain Specification <specification@lists.openchainproject.org>; main@lists.openchainproject.org
Subject: Re: [openchain] FINAL REMINDER: OpenChain Security Guidance Document - Last Call

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hi all,

I went through the security addendum, and what I'm now really wondering is, shouldn't we address the existence of the other existing security standards? Like IEC 62443 or ISO 21434? I know we'd like to focus on the open source part, but as realistically there are software components shipped down the supply chain that exist of both open source and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the existing applicatition specific security standards? That they need to evaluate if they are applicable to their scope? Not sure if we should make it a hard requirement, but I'm afraid that completely ignoring existing standards would weaken the OpenChain statement here - as people might say, I have to adhere to to IEC/ISO
62443 anyway, why bother with the OpenChain security addendum at all...

I'd love to discuss this in today's call, but unfortunatly I'm already of to another appointment...

Cheers,

Nicole


Am 10.08.21 um 07:40 schrieb Shane Coughlan:
We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00
UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.




--
——————————————————————————————————————
Nicole Pappler
email: nicole.pappler@PAPPSTARpromotion.de
mobile: +49 15156078183

PAPPSTARpromotion GmbH
Nürnberger Str. 2
91717 Wassertrüdingen
Germany

Sitz der Gesellschaft: Wassertrüdingen Registergericht: Amtsgericht Ansbach, HRB 7127
Geschäftsführer: Prof. Dr. Andreas Bärwald http://www.PAPPSTARpromotion.de


Re: FINAL REMINDER: OpenChain Security Guidance Document - Last Call

Nicole Pappler
 

Hi all,

I went through the security addendum, and what I'm now really wondering is, shouldn't we address the existence of the other existing security standards? Like IEC 62443 or ISO 21434? I know we'd like to focus on the open source part, but as realistically there are software components shipped down the supply chain that exist of both open source and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the existing applicatition specific security standards? That they need to evaluate if they are applicable to their scope? Not sure if we should make it a hard requirement, but I'm afraid that completely ignoring existing standards would weaken the OpenChain statement here - as people might say, I have to adhere to to IEC/ISO 62443 anyway, why bother with the OpenChain security addendum at all...

I'd love to discuss this in today's call, but unfortunatly I'm already of to another appointment...

Cheers,

Nicole


Am 10.08.21 um 07:40 schrieb Shane Coughlan:

We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.



--
——————————————————————————————————————
Nicole Pappler
email: nicole.pappler@PAPPSTARpromotion.de
mobile: +49 15156078183

PAPPSTARpromotion GmbH
Nürnberger Str. 2
91717 Wassertrüdingen
Germany

Sitz der Gesellschaft: Wassertrüdingen Registergericht: Amtsgericht Ansbach, HRB 7127
Geschäftsführer: Prof. Dr. Andreas Bärwald
http://www.PAPPSTARpromotion.de


FINAL REMINDER: OpenChain Security Guidance Document - Last Call

 

We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.


REMINDER: OpenChain Security Guidance Document - Last Call - OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released tomorrow. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.


Japan entering Obon vacation - Shane + Japanese community going to be mostly away from keyboard

 

Full services will resume on the 16th of August. Meanwhile, we will still have some exciting releases next week with a major conformance announcement and the publication of our security guidance document.


OpenChain Welcomes Cybellum As An Official Partner

 

"Cybellum, a leader in embedded product security and license compliance management for mission critical industries, is the latest vendor to join the OpenChain Project partner program.”

Learn more:
https://www.openchainproject.org/news/2021/08/04/openchain-welcomes-cybellum-as-an-official-partner


Registration for Open Compliance Summit (2021-12-06) is open

 


Cybellum: The State of Automotive Software Security

 

Potentially interesting report here:

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


OpenChain Japan Work Group Meeting #20 - Virtual Meeting #7

 

This was a special event with a bunch of corporate case studies. Learn more:
https://www.openchainproject.org/news/2021/08/03/japan-wg-20


Re: OpenChain Webinar #28 – Securing the Development & Supply Chain of Open Source Software

 

No problem! Attached!

Please remember: it’s a draft 🙂

On Aug 4, 2021, at 11:44, Gaokun (King) via lists.openchainproject.org <king.gao=huawei.com@lists.openchainproject.org> wrote:

Hi shane,

Thank you for sharing this video to us . That really helpful , could you share the PPT ?

Best
King

高琨/(King Gao)
2012实验室
2012Labs

华为技术有限公司 Huawei Technologies Co., Ltd.
Mobile: 15986646117
Email: king.gao@huawei.com
地址:深圳市龙岗区坂田华为基地 邮编:518129
Huawei Technologies Co., Ltd.
Bantian, Longgang District,Shenzhen 518129, P.R.China


-----邮件原件-----
发件人: main@lists.openchainproject.org [mailto:main@lists.openchainproject.org] 代表 Shane Coughlan
发送时间: 2021年8月4日 9:16
收件人: OpenChain Main <main@lists.openchainproject.org>
主题: [openchain] OpenChain Webinar #28 – Securing the Development & Supply Chain of Open Source Software

Full recording here:
https://www.openchainproject.org/news/2021/08/03/openchain-webinar-28-securing-the-development-supply-chain-of-open-source-software









Re: 答复: [openchain] OpenChain Webinar #28 – Securing the Development & Supply Chain of Open Source Software

Gaokun (King)
 

Hi shane,

Thank you for sharing this video to us . That really helpful , could you share the PPT ?

Best
King

高琨/(King Gao)
2012实验室
2012Labs

华为技术有限公司 Huawei Technologies Co., Ltd.
Mobile: 15986646117
Email: king.gao@huawei.com
地址:深圳市龙岗区坂田华为基地 邮编:518129
Huawei Technologies Co., Ltd.
Bantian, Longgang District,Shenzhen 518129, P.R.China


-----邮件原件-----
发件人: main@lists.openchainproject.org [mailto:main@lists.openchainproject.org] 代表 Shane Coughlan
发送时间: 2021年8月4日 9:16
收件人: OpenChain Main <main@lists.openchainproject.org>
主题: [openchain] OpenChain Webinar #28 – Securing the Development & Supply Chain of Open Source Software

Full recording here:
https://www.openchainproject.org/news/2021/08/03/openchain-webinar-28-securing-the-development-supply-chain-of-open-source-software


Re: [taiwan-wg] We have another Chinese translation assistance on our GitHub - any extra thoughts welcome!

 

Thank you Lucien! Great feedback and understood! 🙂

On Jul 30, 2021, at 19:21, Lucien C.H. Lin - 林誠夏 <lucien.cc@...> wrote:


Dear Shane,

I believe that has the "OpenChain Project" translated as "OpenChain項目" instead of the "OpenChain專案" suggested by PeterDaveHello is made by me, it is originally submitted for the Traditional Chinese version, not cited from the Simplified Chinese version in any way. Actually, back in the old days the first draft of the Simplified Chinese version was made by me as well, based on the Traditional one for the 1.1 spec. However, taking the "OpenChain專案" to replace the translation of the old one seems expressing better nowadays. If PeterDaveHello would like to submit his suggestion in pptx or in odp format to you or to the community, I would be very much glad to have it proofread again to get us an updated revision.

All the best and wish you a productive outcome at the COSCUP 2021 tomorrow!

:)

20210730 UTC+8 18:15 Lucien

Shane Coughlan <scoughlan@...> 於 2021年7月30日 週五 下午5:46寫道:
PeterDaveHello: "I just found that Pre-Release version of Traditional Chinese Supplier Education Pack on https://www.openchainproject.org/supplier-education-pack, which is very useful, but some terms at page 2, 40, 48, 54, 77, 80 & 81 of openchain-curriculum-for-2-0-zh-Hant.pptx, seem to be the usage of Simplified Chinese, not Traditional Chinese, "專案" would be more suitable than "項目" here.:
<125280140-526d2580-e347-11eb-9672-3a18b0cb0bd9.png>

However, it's a Microsoft PowerPoint "pptx" file inside a zip file, doesn't seem to be easy to send a pull request for it with a reviewable diff comparison, how should I suggest or help the translation? Is there any data source that I can send a pull request to?"


My reply so far:

If you edit the PPTX file and submit it as a pull request, we can do community review and merge. It would be fantastic to have your contribution.


OpenChain Webinar #28 – Securing the Development & Supply Chain of Open Source Software

 


OpenChain Webinar #27 – PwC Readiness Assessment

 


OpenChain Tooling Work Group Meeting #39

 


OpenChain Today and Tomorrow – COSCUP Keynote

 


Today is event recording catch-up day

 

Each recording will be clearly identified by the email subject line.


OpenChain Bi-Weekly Webinar - 2021-08-03 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Today we are talking about 'Securing the Development & Supply Chain of Open Source Software (OSS)'

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Need to confirm your timezone?
OpenChain Bi-Weekly Webinar - 2021-08-03 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

81 - 100 of 4227