SlideShare a Scribd company logo
Beyond ISO 5230 and ISO 18974 - Case
Studies, AI Compliance and More
LF Management & Best Practices Portal
Stacking Standards + Solutions
Process Management Standards
Implementation Standards
Implementation Methods
ISO/IEC 5230:2020
Open Source License Compliance
ISO/IEC 18974:2023
Open Source Security Assurance
Sister Standards - Processes for Programs
ISO/IEC 5230 (License Compliance)
● Scopable program size
● Addresses inbound processes
● Addresses internal policy, training, process
● Addresses outbound processes
● Focus on process point
● Avoids prescriptive process content
ISO/IEC 18974 (Security Assurance)
● Scopable program size
● Addresses inbound processes
● Addresses internal policy, training, process
● Addresses outbound processes
● Focus on process point
● Avoids prescriptive process content
One utility of ISO standards is that they act as reputable shorthand in discussions, negotiations
and contracts, allowing everything from “document format” to “quality program” to be
communicated easily.
The OpenChain standards are an international baseline for quality in open source license
open source license compliance or security assurance programs.
A Continual Heartbeat Of Adoption
A Strong History Of Crossing Markets
● BlackRock, Circle and KakaoBank are
three examples of crossing into finance.
● A Fellow from Lockheed Martin chairs
our Specification Work Group.
● From SoC to embedded to enterprise to
automotive to aviation, OpenChain
standards are built, used and supported.
31%
of large German companies already use or plan to adopt OpenChain ISO/IEC 5230
Source PwC: https://tinyurl.com/openchain-germany-31
Data Point
A Continual Heartbeat Of Use
Companies announcing re-certification helps to boost perception of continued
industry value.
● BlackBerry - public announcement in April
● SocioNext - public announcement in May (today)
● Nanjing Fujitsu Nanda Software Technology Co., Ltd informed us of their re-certification in
February.
● Reminder: ISO standards can be adopted and used by any party, so we only get informed and
do PR on a discretionary basis.
Market Evolution
Procurement Negotiations
ISO/IEC 5230 and ISO/IEC 18974 provide a simple “ask” in procurement
negotiations across all industry verticals.
In the 2024/2025 period we expect:
● Increased use of industry standards instead of bespoke approaches for open
source procurement
● More extensive use of OpenChain standards in procurement
Mergers and Acquisitions
ISO/IEC 5230 and ISO/IEC 18974 provide a “floor” for understanding the
governance approach of an M&A target with regards to open source.
In the 2024/2025 period we expect:
● More legal professionals using OpenChain standards for M&A
● More documentation or case studies around the use of OpenChain standards in
this area
Supply Chain Management
ISO/IEC 5230 and ISO/IEC 18974 make it easy for customer companies to
describe open source license compliance and security assurance.
In the 2024/2025 period we expect:
● Increased supply chain requests for OpenChain conformant programs
● Emergance of open source maturity models favoring OpenChain standards
● More government policies referencing OpenChain standards
Government Policy
Addressing NIST / CISA / Executive Order
● OpenChain has always been prepared for the use of SBOMs as a market
requirement.
● OpenChain ISO/IEC 5230 and ISO/IEC 18974 ask companies to have SBOMs
related to open source license compliance and security assurance.
Addressing the CRA
● OpenChain has always been prepared for the type of record-keeping that
Cyber Resiliency Act (CRA) raises as a market requirement.
● OpenChain ISO/IEC 5230 and ISO/IEC 18974 ask companies to create and
archive verification materials related to open source license compliance and
security assurance.
Relationship With Other Standards
Working With SPDX ISO/IEC 5962 + Future SPDX
ISO/IEC 5230 and ISO/IEC 18974 have always required that organizations have a
bill of materials for open source software passing through conformant programs.
They inherently align with SPDX ISO/IEC 5962.
In the 2024/2025 period we expect:
● The release of SPDX 3.0 to provide the foundation for an updated version of
SPDX ISO/IEC 5962:2021.
● The SPDX 3.0 profile approach to enhance integration with ISO/IEC 5230 and
ISO/IEC 18974 for interested parties.
SPDX ISO/IEC 5962:2021
● Able to represent SBOMs from binary images
and track back to the source files and
snippets.
● Specification is freely available from ISO site.
● Future updates live tracked at:
https://spdx.github.io/spdx-spec More
information at https://spdx.dev
SPDX 3.0 Introduces Profiles – Launched April 2024
Security information - vulnerability details related to software
Build related information - provenance and reproducible builds
Information about AI models - ethical, security, and model data
Information about datasets - AI and other data use cases
Minimal subset to support industry supply chain workflows
Information about copyrights and licenses - supports compliance
Information specific to software
Information used across all profiles
In the Automotive Industry, License Compliance verification can accomplished using SPDX Lite in
spreadsheets. This can help support:
● Small software developers
● Legal teams
● Editors of manuals
SPDX Lite helps to exchange SBOMs between
full SBOM formats and the spreadsheet-centric
License management world.
SPDX Lite Created By OpenChain Japan Work Group
Broad Compatibility
● OpenChain standards are compatible with all other SBOM formats
● In general, OpenChain standards are designed to work with all other
standards related to open source process management or solution
implementation
● The goal is to be practical and useful for companies of all sizes and in all
markets
Reference Materials
Existing Reference Material
The OpenChain Project has extensive reference material on GitHub:
● Reference open source training slides
● Policy template material
● Supplier education material
● Self-certification checklists and questionnaires
● + many, many more documents
Case Studies
Training Courses
80+
Webinars covering all aspects of open source management and governance
https://openchainproject.org/webinars
Data Point
Forthcoming Reference Material
The OpenChain Project is developing new reference material for 2024:
● Updated training slides
● Updated supplier education materials
● SBOM quality guide
● “Explainers” for different business roles
● Maturity models
Community and
Commercial Support
Community Support
Industry-Specific Work Groups
● Automotive (Summer
● Telecom (Spring 2021~)
Regional User Groups
● Japan (Dec 2017~)
● Korea (Jan 2019~)
● India (Sept 2019~)
● China (Sept 2019~)
● Taiwan (Sept 2019~)
● Germany (Jan 2020~)
● UK (June 2020~)
Main Work Groups
● Specification (Spring 2016~)
● Education (Autumn 2020~)
Community Work Groups
● Tooling (Summer 2019~)
● Export Control (Winter 2022~)
● Public Policy (Winter 2022~)
Community Study Groups
● AI (January 2024~)
Commercial Support
Tooling / Automation
Third-Party Certification
Consultancies
Legal Providers
OpenChain will support the continued
evolution of professional open source
management
Draft Future Versions of Licensing / Security
Licensing Specification (3rd Generation Draft):
https://github.com/OpenChain-Project/License-Compliance-
Specification/blob/master/Official/en/3.0/openchain-license-
Security Specification (2nd Generation Draft):
https://github.com/OpenChain-Project/Security-Assurance-
Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
Track This: Our Monthly Calls
Our current Specification Work Group Chair is Chris Wood, Fellow at Lockheed
Martin.
The Specification Work Group has:
● One call for North America / Europe per month
● One call for North America / Asia per month
Everyone is welcome to join, learn and contribute
OpenChain will also support
conversations around new areas of
open collaboration and governance
Introducing Our AI Compliance Study Group
Since January 2024 the OpenChain Project has facilitated an AI Compliance
Study Group.
They are focused on:
● Determining commonalities in AI Compliance in
the Supply Chain
● Assessing whether these commonalities are suitable
for development into reference material
● And ensuring all voices are heard
In Conclusion
What Is Coming Next For The Market?
There has been a steady, inevitable trend for open source in the business domain:
● Open source is becoming more professional
● Open source is becoming more accountable
● Open source is becoming more sustainable
In 2024/2025 the OpenChain Project expects this trend to bring open source
closer to traditional Software Asset Management (SAM).
In the 2024/2025 Period
1. ISO/IEC 5230 and ISO/IEC 18974 will continue to assist in the
professionalization of the supply chain, with specific impact in procurement,
M&A and supply chain management
2. We will continue to grow our reference library of material to assist companies
adopting and using our standards.
3. We will also support process management discussions in new domains like AI
Compliance
Shane Coughlan
scoughlan@linuxfoundation.org
+81 80 4035 8083
Let’s Talk More

More Related Content

Similar to OpenChain @ LF Japan Executive Briefing - May 2024

From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
Shane Coughlan
 
Alibaba Standardization Summit 2022
Alibaba Standardization Summit 2022Alibaba Standardization Summit 2022
Alibaba Standardization Summit 2022
Shane Coughlan
 
The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
Shane Coughlan
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
Shane Coughlan
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply Chain
Shane Coughlan
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
Shane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
Shane Coughlan
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
Shane Coughlan
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
Shane Coughlan
 
OpenChain @ Bitkom Forum Open Source 2022
OpenChain @ Bitkom Forum Open Source 2022OpenChain @ Bitkom Forum Open Source 2022
OpenChain @ Bitkom Forum Open Source 2022
Shane Coughlan
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
Shane Coughlan
 
Great Open Source Compliance For Everyone - Version 11
Great Open Source Compliance For Everyone - Version 11Great Open Source Compliance For Everyone - Version 11
Great Open Source Compliance For Everyone - Version 11
Shane Coughlan
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
Shane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
Shane Coughlan
 
Great Open Source Compliance For Everyone (Version 3)
Great Open Source Compliance For Everyone (Version 3)Great Open Source Compliance For Everyone (Version 3)
Great Open Source Compliance For Everyone (Version 3)
Shane Coughlan
 
'Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions''Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions'
Shane Coughlan
 
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
Shane Coughlan
 
Complex Made Simple @ Bird&Birds OpenChain Seminar
Complex Made Simple @ Bird&Birds OpenChain SeminarComplex Made Simple @ Bird&Birds OpenChain Seminar
Complex Made Simple @ Bird&Birds OpenChain Seminar
Shane Coughlan
 
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
Shane Coughlan
 

Similar to OpenChain @ LF Japan Executive Briefing - May 2024 (20)

From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
Alibaba Standardization Summit 2022
Alibaba Standardization Summit 2022Alibaba Standardization Summit 2022
Alibaba Standardization Summit 2022
 
The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply Chain
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
OpenChain @ Bitkom Forum Open Source 2022
OpenChain @ Bitkom Forum Open Source 2022OpenChain @ Bitkom Forum Open Source 2022
OpenChain @ Bitkom Forum Open Source 2022
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
 
Great Open Source Compliance For Everyone - Version 11
Great Open Source Compliance For Everyone - Version 11Great Open Source Compliance For Everyone - Version 11
Great Open Source Compliance For Everyone - Version 11
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Great Open Source Compliance For Everyone (Version 3)
Great Open Source Compliance For Everyone (Version 3)Great Open Source Compliance For Everyone (Version 3)
Great Open Source Compliance For Everyone (Version 3)
 
'Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions''Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions'
 
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
Open Source in ISO Building the First LF Standard in Fourteen Years and What ...
 
Complex Made Simple @ Bird&Birds OpenChain Seminar
Complex Made Simple @ Bird&Birds OpenChain SeminarComplex Made Simple @ Bird&Birds OpenChain Seminar
Complex Made Simple @ Bird&Birds OpenChain Seminar
 
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
OpenChain Webinar #10 - Joint Development Foundation - 2020-08-17
 

More from Shane Coughlan

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
Shane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
Shane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
Shane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
Shane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
Shane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
Shane Coughlan
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29
Shane Coughlan
 
OpenChain Webinar #53 – OpenSCA
OpenChain Webinar #53 – OpenSCAOpenChain Webinar #53 – OpenSCA
OpenChain Webinar #53 – OpenSCA
Shane Coughlan
 
OpenChain Korea Work Group Meeting #18
OpenChain Korea Work Group Meeting #18OpenChain Korea Work Group Meeting #18
OpenChain Korea Work Group Meeting #18
Shane Coughlan
 
TODO_Japan_Meetup_#7_en
TODO_Japan_Meetup_#7_enTODO_Japan_Meetup_#7_en
TODO_Japan_Meetup_#7_en
Shane Coughlan
 

More from Shane Coughlan (20)

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29
 
OpenChain Webinar #53 – OpenSCA
OpenChain Webinar #53 – OpenSCAOpenChain Webinar #53 – OpenSCA
OpenChain Webinar #53 – OpenSCA
 
OpenChain Korea Work Group Meeting #18
OpenChain Korea Work Group Meeting #18OpenChain Korea Work Group Meeting #18
OpenChain Korea Work Group Meeting #18
 
TODO_Japan_Meetup_#7_en
TODO_Japan_Meetup_#7_enTODO_Japan_Meetup_#7_en
TODO_Japan_Meetup_#7_en
 

Recently uploaded

Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Semiosis Software Private Limited
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Mobile app Development Services | Drona Infotech
Mobile app Development Services  | Drona InfotechMobile app Development Services  | Drona Infotech
Mobile app Development Services | Drona Infotech
Drona Infotech
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 

Recently uploaded (20)

Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Mobile app Development Services | Drona Infotech
Mobile app Development Services  | Drona InfotechMobile app Development Services  | Drona Infotech
Mobile app Development Services | Drona Infotech
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 

OpenChain @ LF Japan Executive Briefing - May 2024

  • 1. Beyond ISO 5230 and ISO 18974 - Case Studies, AI Compliance and More
  • 2. LF Management & Best Practices Portal
  • 3. Stacking Standards + Solutions Process Management Standards Implementation Standards Implementation Methods
  • 4. ISO/IEC 5230:2020 Open Source License Compliance
  • 5. ISO/IEC 18974:2023 Open Source Security Assurance
  • 6. Sister Standards - Processes for Programs ISO/IEC 5230 (License Compliance) ● Scopable program size ● Addresses inbound processes ● Addresses internal policy, training, process ● Addresses outbound processes ● Focus on process point ● Avoids prescriptive process content ISO/IEC 18974 (Security Assurance) ● Scopable program size ● Addresses inbound processes ● Addresses internal policy, training, process ● Addresses outbound processes ● Focus on process point ● Avoids prescriptive process content
  • 7. One utility of ISO standards is that they act as reputable shorthand in discussions, negotiations and contracts, allowing everything from “document format” to “quality program” to be communicated easily. The OpenChain standards are an international baseline for quality in open source license open source license compliance or security assurance programs.
  • 8. A Continual Heartbeat Of Adoption A Strong History Of Crossing Markets ● BlackRock, Circle and KakaoBank are three examples of crossing into finance. ● A Fellow from Lockheed Martin chairs our Specification Work Group. ● From SoC to embedded to enterprise to automotive to aviation, OpenChain standards are built, used and supported.
  • 9. 31% of large German companies already use or plan to adopt OpenChain ISO/IEC 5230 Source PwC: https://tinyurl.com/openchain-germany-31 Data Point
  • 10. A Continual Heartbeat Of Use Companies announcing re-certification helps to boost perception of continued industry value. ● BlackBerry - public announcement in April ● SocioNext - public announcement in May (today) ● Nanjing Fujitsu Nanda Software Technology Co., Ltd informed us of their re-certification in February. ● Reminder: ISO standards can be adopted and used by any party, so we only get informed and do PR on a discretionary basis.
  • 12. Procurement Negotiations ISO/IEC 5230 and ISO/IEC 18974 provide a simple “ask” in procurement negotiations across all industry verticals. In the 2024/2025 period we expect: ● Increased use of industry standards instead of bespoke approaches for open source procurement ● More extensive use of OpenChain standards in procurement
  • 13. Mergers and Acquisitions ISO/IEC 5230 and ISO/IEC 18974 provide a “floor” for understanding the governance approach of an M&A target with regards to open source. In the 2024/2025 period we expect: ● More legal professionals using OpenChain standards for M&A ● More documentation or case studies around the use of OpenChain standards in this area
  • 14. Supply Chain Management ISO/IEC 5230 and ISO/IEC 18974 make it easy for customer companies to describe open source license compliance and security assurance. In the 2024/2025 period we expect: ● Increased supply chain requests for OpenChain conformant programs ● Emergance of open source maturity models favoring OpenChain standards ● More government policies referencing OpenChain standards
  • 16. Addressing NIST / CISA / Executive Order ● OpenChain has always been prepared for the use of SBOMs as a market requirement. ● OpenChain ISO/IEC 5230 and ISO/IEC 18974 ask companies to have SBOMs related to open source license compliance and security assurance.
  • 17. Addressing the CRA ● OpenChain has always been prepared for the type of record-keeping that Cyber Resiliency Act (CRA) raises as a market requirement. ● OpenChain ISO/IEC 5230 and ISO/IEC 18974 ask companies to create and archive verification materials related to open source license compliance and security assurance.
  • 19. Working With SPDX ISO/IEC 5962 + Future SPDX ISO/IEC 5230 and ISO/IEC 18974 have always required that organizations have a bill of materials for open source software passing through conformant programs. They inherently align with SPDX ISO/IEC 5962. In the 2024/2025 period we expect: ● The release of SPDX 3.0 to provide the foundation for an updated version of SPDX ISO/IEC 5962:2021. ● The SPDX 3.0 profile approach to enhance integration with ISO/IEC 5230 and ISO/IEC 18974 for interested parties.
  • 20. SPDX ISO/IEC 5962:2021 ● Able to represent SBOMs from binary images and track back to the source files and snippets. ● Specification is freely available from ISO site. ● Future updates live tracked at: https://spdx.github.io/spdx-spec More information at https://spdx.dev
  • 21. SPDX 3.0 Introduces Profiles – Launched April 2024 Security information - vulnerability details related to software Build related information - provenance and reproducible builds Information about AI models - ethical, security, and model data Information about datasets - AI and other data use cases Minimal subset to support industry supply chain workflows Information about copyrights and licenses - supports compliance Information specific to software Information used across all profiles
  • 22. In the Automotive Industry, License Compliance verification can accomplished using SPDX Lite in spreadsheets. This can help support: ● Small software developers ● Legal teams ● Editors of manuals SPDX Lite helps to exchange SBOMs between full SBOM formats and the spreadsheet-centric License management world. SPDX Lite Created By OpenChain Japan Work Group
  • 23. Broad Compatibility ● OpenChain standards are compatible with all other SBOM formats ● In general, OpenChain standards are designed to work with all other standards related to open source process management or solution implementation ● The goal is to be practical and useful for companies of all sizes and in all markets
  • 25. Existing Reference Material The OpenChain Project has extensive reference material on GitHub: ● Reference open source training slides ● Policy template material ● Supplier education material ● Self-certification checklists and questionnaires ● + many, many more documents
  • 28. 80+ Webinars covering all aspects of open source management and governance https://openchainproject.org/webinars Data Point
  • 29. Forthcoming Reference Material The OpenChain Project is developing new reference material for 2024: ● Updated training slides ● Updated supplier education materials ● SBOM quality guide ● “Explainers” for different business roles ● Maturity models
  • 31. Community Support Industry-Specific Work Groups ● Automotive (Summer ● Telecom (Spring 2021~) Regional User Groups ● Japan (Dec 2017~) ● Korea (Jan 2019~) ● India (Sept 2019~) ● China (Sept 2019~) ● Taiwan (Sept 2019~) ● Germany (Jan 2020~) ● UK (June 2020~) Main Work Groups ● Specification (Spring 2016~) ● Education (Autumn 2020~) Community Work Groups ● Tooling (Summer 2019~) ● Export Control (Winter 2022~) ● Public Policy (Winter 2022~) Community Study Groups ● AI (January 2024~)
  • 32. Commercial Support Tooling / Automation Third-Party Certification Consultancies Legal Providers
  • 33. OpenChain will support the continued evolution of professional open source management
  • 34. Draft Future Versions of Licensing / Security Licensing Specification (3rd Generation Draft): https://github.com/OpenChain-Project/License-Compliance- Specification/blob/master/Official/en/3.0/openchain-license- Security Specification (2nd Generation Draft): https://github.com/OpenChain-Project/Security-Assurance- Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
  • 35. Track This: Our Monthly Calls Our current Specification Work Group Chair is Chris Wood, Fellow at Lockheed Martin. The Specification Work Group has: ● One call for North America / Europe per month ● One call for North America / Asia per month Everyone is welcome to join, learn and contribute
  • 36. OpenChain will also support conversations around new areas of open collaboration and governance
  • 37. Introducing Our AI Compliance Study Group Since January 2024 the OpenChain Project has facilitated an AI Compliance Study Group. They are focused on: ● Determining commonalities in AI Compliance in the Supply Chain ● Assessing whether these commonalities are suitable for development into reference material ● And ensuring all voices are heard
  • 39. What Is Coming Next For The Market? There has been a steady, inevitable trend for open source in the business domain: ● Open source is becoming more professional ● Open source is becoming more accountable ● Open source is becoming more sustainable In 2024/2025 the OpenChain Project expects this trend to bring open source closer to traditional Software Asset Management (SAM).
  • 40. In the 2024/2025 Period 1. ISO/IEC 5230 and ISO/IEC 18974 will continue to assist in the professionalization of the supply chain, with specific impact in procurement, M&A and supply chain management 2. We will continue to grow our reference library of material to assist companies adopting and using our standards. 3. We will also support process management discussions in new domains like AI Compliance