Module 2 - Open Source Compliance and Security
Module 2 - Achieving Compliance and Security
- Goals:
Understanding of managing compliance and security risks, operational fulfilment using TustSource -
- Contents:
Compliance & Security goals, risk management approach, handling compliance risk, handling technical risk (security, viability),
Part I: achieving compliance , practical questions (cases), TrustSource tools to achieve compliance (understanding legal settings in detail, functionality of legal engine, private licenses, black- & whitelists for components and licenses, etc.), detailed assessment of a notice file, collecting attributions, change notifications making use of DeepScan to qualify sources, quizz
Part II: managing and assessing vulnerabilities, finding further vulnerability information, limitations of vulnerability data, examples analysing vulnerability data, using vulnerability reports, assessing viability, versions-analysis, forwarding tasks/tickets, handling developer versions, muting vulnerabilities, quizz
Part III: making use of infrastructure, 3rd party & COTS, handling private and commercial licenses, using linked modules in a different context , COTS report, SOUP list, quizz, Summary and test -
- Target Groups: project Managers, compliance Managers, developers
Module 1 - Compliance basics
Module 1 - Compliance Basics
- Goals:
Create awareness for the topic, introduce basic meanings -
- Contents:
Challenge of OSC (clarify direct vs. transitive dependencies) , recent and important cases, What if not?, basic terms, grants, obligations & their consequences, limitations and the termination of grants, matching to basic license classifications, check basic understanding, sample cases, roles and their responsibilities, general compliance process, Overview of the OpenChain specification, summary & test -
- Target Groups:
developers, administrators, compliance managers, product managers, project managers, senior managers
Module 4 - Developer Guidelines
Module 4 - Developer Guidelines
- Goals:
Provide understanding of relevant Compliance goals and artefacts , provide basic understanding of TrustSource elements as well as how to use them to achieve compliance -
- Contents:
Explain basic TrustSource constructs (Scans, Analysis, Reports, project settings, etc.), explain Compliance Artefacts (BoM, Notice File, SOUP-List, Compliance Report, etc.), clarify Developers responsibilities (Compliance & Security), TrustSource Support tools (using the UI, filtering, searching, dependency graphs), manage loose coupling and modification, how to manage settings, explain legal circumstances and their impact, Project manager responsibilities (Compliance & Security), TrustSource tools (Legal Analysis, Security Analysis, Viability Analysis, VersionCheck, different Reports), Understanding the approval flow, approval Dry-Run, integrating approvals (Git-flow, Github-flow), using projects and modules to structure work, running tests, using linked modules, adding infrastructure modules, integrating COTS, qualifying external repositories, sample assessments, resolution of sample cases (making it green), summary & test -
- Target Groups:
Developer, Project Manager, Administrators, Compliance Managers -
Module 5 - Procurement
Module 5 - Procurement
- Goals:
Understand the challenges to OS compliance poses to purchase departments - Contents:
Challenges in adding 3rd party and proprietary components, OS impact on purchasing agreements, managing 3rd party licenses in TrustSource, COTS & SOUP, components manager role, requesting 3rd parties to provide inbound BoMs, mutli-org-setup of TrustSource, alternative scanning approaches, summary & check -
- Target Groups: Purchasers, Developers, Project managers
Module 6 - Audit
Module 6 - Audit
- Goals:
Provide understanding of how to conduct an OS audit - Contents:
Scoping, the audit process, the deliverables, evidence, evidence, evidence, how to audit, escalation, version management, tooling support, binary analysis, source code analysis (repositories), build time analysis, legal compliance, security, other tests, what TrustSource can do for you, compiling a report, summary and check
- Target Groups:
Compliance Manager, Developer
Module 7 - TrustSource Administration
Module 7 - Tools & Tooling / TrustSource
- Goals: Provide basics of Tooling and TrustSource Administration
- Contents:
Open Source Compliance Capability map. matching open source tools, TrustSource Architecture, TrustSource Services, Users, LDAP & Identity integration, MFA, inviting external users, managing roles and rights, general settings, handling API and API keys, throtteling and usage limitations, configuring environment specific settings, using multi-entity setup, information about system status, contacting sup- port, stay tuned
- Target Groups: TrustSource administrators
Module 3 - Open Source Governance
Module 3 - Governance
Open Source Governance is key to achieve Open Source Compliance.
- Goals:
Understand the challenges of achieving and maintaining compliance across large organisations and how TrustSource may help - Contents:
understand the OpenChain Specification and OC Self certification procedu- re, Challenges of OS Compliance in large organisations, Goals of Governance, OS Governance Board and OS Governor, OS Policy ingredients, Policy distribution, TrustSource support for OS policy distribution, Inbound governance, Outbound Go- vernance, Committer Governance, Working contracts and OS Governance / work time vs sparetime, International law and work contracts in the context of OS gover- nance, managing OS and external workforces , Summary & test
Target group: compliance managers, CISOs, business unit respsonsibles
Module 8 - Recent Developments
Module 8 - Recent Developments
Open Source is on the move – tools, legal requirements and business models are constantly changing. This module gives an overview of the current developments of the last 12 months
- Current case law and new legal requirements
- New and updated licensing conditions
- Overview of new tools, features and functions
- Duration: approx. 60 minutes
Target group: developers, project managers, product owners, compliance managers, architects