last 12 months there have been several noteworthy concerns around open source
and security. The exposure of vulnerability in software has exposed underlying
issues with process management and ultimately with sustainability. The
OpenChain Project, steward of
ISO/IEC 5230:2020, the International Standard for open source compliance,
has been at the forefront of addressing these matters.
2021 we responded to market demand by releasing a Security Assurance
Reference Guide. The first version of this document explained how ISO/IEC 5230
could be used through the optics of security. Like all our documentation, it
was developed and released in the public arena, and subject to review and contributions
from a wide array of stakeholders.
We are now
working on the second
iteration of this document. It does for security what ISO/IEC 5230 did for
compliance: it provides a minimal, broadly applicable list of key requirements
to institute a quality assurance program to address the domain space.
We do not
intend to replace existing security standards. We do not intend to bloat
ISO/IEC 5230. Instead, we are pursuing our proven approach of developing a real-world
solution for a real-world problem that can be immediately deployed, and over
time fits together with adjacent activities as neatly as a jigsaw puzzle.
For those new
to this topic and wondering what OpenChain’s engagement means in practice, a
summary of our Specification Work Group discussions throughout 2020-2021 is in
considering three paths for the security domain. One sees the Security
Assurance Reference Guide maintaining its stance solely as a guide. Another
sees the Security Assurance Reference Guide evolve into a Reference
Specification that may become a de facto industry standard over time. Lastly,
there is the option to have the Security Assurance Reference Guide evolve into
an optional component for a future iteration of ISO/IEC 5230.
contribute to this activity by joining our bi-weekly global work team calls ,
our specification mailing list , and opening issues on the relevant repository
in GitHub .
OpenChain Project is far from alone in helping to address concerns around open
source and security. The Open Source Security
Foundation (OpenSSF) is a sister project at the Linux Foundation dedicated
to securing the open source ecosystem. The Software
Package Data Exchange Project (SPDX) maintains ISO/IEC 5962:2021, an
International Standard for Software Bill of Materials. The Linux Foundation also
hosts tools to
help with automation in the space. We are collaborating to ensure the future of
open source is secure.
expect a continuation of these activities throughout 2022. There will be an
excellent opportunity for you to get involved during this quarter, as the
OpenChain Project hosts a security summit to enable our extensive global
community to share notes. To learn more about this, as well as our other activities,
join one of our calls or one of our mailing lists. Everyone is welcome.
Get Started With Our Community
Attend The OpenChain Security Summit On February 17th and
The Security Summit will take place on February 17th 2022 at
17:00 PST / February 18th 2022 02:00 UTC / 09:00 CST / 10:00 JST. It
will be hosted on Zoom and it will be free to attend. It will also be recorded.
You can expect to come away with a clear understanding of market conditions,
how the Linux Foundation is addressing them, and where OpenChain fits into the