OpenChain Security Assurance Specification

In October 2022 The OpenChain Project  made available the OpenChain Security Assurance Specification version 1.1, a best practice for managing known security vulnerabilities in open source components, libraries and frameworks to the software supply chain. This specification is expected to graduate as an ISO/IEC International Standard in the middle of 2023.

The original ISO 5230 OpenChain Standard was focussed on open source license compliance. The OpenChain Project Community noticed that noticed that end user organisations were using ISO 5230 OpenChain was also being applied in the security domain and therefore decided to develop the security assurance specification to satisfy the market demand.

The high level specification is described below. It goal is to help organisations:

  1. The key places to have security processes
  2. How to assign roles and responsibilities
  3. And how to ensure sustainability of their approach

OpenChain Security Assurance
Figure 1. The OpenChain Security Assurance Requirements

A fundamental requirement would be the need to identify and track vulnerable open source components in the supply chain and produce Software Bill of Materials (SBOM) for each release of a solution. This would be done by implementing Software Composition Analysis (SCA) technology.

SBOMs have received a lot of attention since the White House issue An Executive Order to Improve the Nation's Cybersecurity which includes recommendations for SBOMs being part of the supply chain.

"...providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website"

"...buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.  Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.."

This was order has progressed into the DHS Software Supply Chain Risk Management Act of 2021

The draft EU Cyber Resilience Act  currently in draft has similar requirements.

Security SBOM
Figure 2. Tracking of Open Source Component Vulnerabilities

 

Source Code Control Limited provide a range of services to help organisations manage their open source software supply chain.  Our services guide organisations on their journey to adopt and conform to both ISO 5230 OpenChain and OpenChain Security Assurance.

For more information of our open source services visit link...  or contact us using the button below

 

For more information about the OpenChain Security Assurance Specification

Download PDF

 

 

 

All Formats

OpenChain Security Summit 2022

For more information or to schedule an informal discussion with a consultant