The OpenChain Specification working group’s core mission is to develop Program standards that establish trust in the Open Source from which modern-day software solutions are built. The OpenChain project’s flagship specification, ISO 5230 International Standard for Open Source Compliance, focuses on establishing trust around Open Source license compliance. A natural next step in support of the broader mission was to develop a guide to identify and present the minimum core set of requirements every Security Assurance program should satisfy with respect to the use of Open Source software. Initially the scope is limited to ensuring that an organization vets the Open Source with regard to known publicly available security vulnerability issues (e.g., CVEs, github dependency alerts, package manager alerts and so forth). The guide’s scope may expand overtime based on community feedback.
Establishing trust in the Open Source from which Software Solutions are built