Module 2 - Open Source Compliance and Security

Module 2 - Achieving Compliance and Security

 

  • Goals:
    Understanding of managing compliance and security risks, operational fulfilment using TustSource
  • Contents:
    Compliance & Security goals, risk management approach, handling compliance risk, handling technical risk (security, viability),
    Part I: achieving compliance , practical questions (cases), TrustSource tools to achieve compliance (understanding legal settings in detail, functionality of legal engine, private licenses, black- & whitelists for components and licenses, etc.), detailed assessment of a notice file, collecting attributions, change notifications making use of DeepScan to qualify sources, quizz
    Part II: managing and assessing vulnerabilities, finding further vulnerability information, limitations of vulnerability data, examples analysing vulnerability data, using vulnerability reports, assessing viability, versions-analysis, forwarding tasks/tickets, handling developer versions, muting vulnerabilities, quizz
    Part III: making use of infrastructure, 3rd party & COTS, handling private and commercial licenses, using linked modules in a different context , COTS report, SOUP list, quizz, Summary and test 
  • Target Groups: project Managers, compliance Managers, developers


Modul Basics

Module 1 - Compliance basics

Module 1 - Compliance Basics

 

  • Goals:
    Create awareness for the topic, introduce basic meanings
  • Contents:
    Challenge of OSC (clarify direct vs. transitive dependencies) , recent and important cases, What if not?, basic terms, grants, obligations & their consequences, limitations and the termination of grants, matching to basic license classifications, check basic understanding, sample cases, roles and their responsibilities, general compliance process, Overview of the OpenChain specification, summary & test
  • Target Groups:
    developers, administrators, compliance managers, product managers, project managers, senior managers


Module 4 - Developer Guidelines

Module 4 - Developer Guidelines

 

  • Goals:
    Provide understanding of relevant Compliance goals and artefacts , provide basic understanding of TrustSource elements as well as how to use them to achieve compliance
  • Contents:
    Explain basic TrustSource constructs (Scans, Analysis, Reports, project settings, etc.), explain Compliance Artefacts (BoM, Notice File, SOUP-List, Compliance Report, etc.), clarify Developers responsibilities (Compliance & Security), TrustSource Support tools (using the UI, filtering, searching, dependency graphs), manage loose coupling and modification, how to manage settings, explain legal circumstances and their impact, Project manager responsibilities (Compliance & Security), TrustSource tools (Legal Analysis, Security Analysis, Viability Analysis, VersionCheck, different Reports), Understanding the approval flow, approval Dry-Run, integrating approvals (Git-flow, Github-flow), using projects and modules to structure work, running tests, using linked modules, adding infrastructure modules, integrating COTS, qualifying external repositories, sample assessments, resolution of sample cases (making it green), summary & test
  • Target Groups:
    Developer, Project Manager, Administrators, Compliance Managers


Module 5 - Procurement

Module 5 - Procurement

 

  • Goals:
    Understand the challenges to OS compliance poses to purchase departments
  • Contents:
    Challenges in adding 3rd party and proprietary components, OS impact on purchasing agreements, managing 3rd party licenses in TrustSource, COTS & SOUP, components manager role, requesting 3rd parties to provide inbound BoMs, mutli-org-setup of TrustSource, alternative scanning approaches, summary & check
  • Target Groups: Purchasers, Developers, Project managers


Module 6 - Audit

Module 6 - Audit

 

  • Goals:
    Provide understanding of how to conduct an OS audit 
  • Contents:
    Scoping, the audit process, the deliverables, evidence, evidence, evidence, how to audit, escalation, version management, tooling support, binary analysis, source code analysis (repositories), build time analysis, legal compliance, security, other tests, what TrustSource can do for you, compiling a report, summary and check
  • Target Groups:
    Compliance Manager, Developer


Module 7 - TrustSource Administration

Module 7 - Tools & Tooling / TrustSource

 

  • Goals: Provide basics of Tooling and TrustSource Administration
  • Contents:
    Open Source Compliance Capability map. matching open source tools, TrustSource Architecture, TrustSource Services, Users, LDAP & Identity integration, MFA, inviting external users, managing roles and rights, general settings, handling API and API keys, throtteling and usage limitations, configuring environment specific settings, using multi-entity setup, information about system status, contacting sup- port, stay tuned
  • Target Groups: TrustSource administrators


Module 3 - Open Source Governance

Module 3 - Governance

Open Source Governance is key to achieve Open Source Compliance.

  • Goals:
    Understand the challenges of achieving and maintaining compliance across large organisations and how TrustSource may help
  • Contents:
    understand the OpenChain Specification and OC Self certification procedu- re, Challenges of OS Compliance in large organisations, Goals of Governance, OS Governance Board and OS Governor, OS Policy ingredients, Policy distribution, TrustSource support for OS policy distribution, Inbound governance, Outbound Go- vernance, Committer Governance, Working contracts and OS Governance / work time vs sparetime, International law and work contracts in the context of OS gover- nance, managing OS and external workforces , Summary & test

Target group: compliance managers, CISOs, business unit respsonsibles


Module 8 - Recent Developments

Module 8 - Recent Developments

Open Source is on the move – tools, legal requirements and business models are constantly changing. This module gives an overview of the current developments of the last 12 months

  • Current case law and new legal requirements
  • New and updated licensing conditions
  • Overview of new tools, features and functions
  • Duration: approx. 60 minutes

Target group: developers, project managers, product owners, compliance managers, architects


June 19th, Compliance Breakfast @ Frankfurt a.M.

To achieve a fast Go-to-market for innovative products and services, the application of software, especially open source software is essential.

But, open source software is no free lunch!

What obligations are related to the use of open source software, what triggers the different obligations and what is resulting therefrom? What are athe risks and how to manage them? All this will be part of this informational event. You will receive an overview of the current legal situation as well as practical experiences of the introduction of Open Source Governnace.

0830-0900 Welcome coffee & tea

0900-0915 Introduction of speakers

0915-0945 Current legal situation and challenges (Heinzke)

0945-1000 Questions and discussion

1000-1045 Lessons learned from introducing Open Source Governance in a conglomerate (Thielscher)

1045-1100 Questions and discussion

Tickets can be booked here. To ensure a sound experience, the event is limited to 25 participants. Please note, the event will be in German.