TrustSource @ LSEC on SBOMs

Let’s meet at the IIOT SBOM Nov. 10th!

Thank you @           LSEC – Leaders In Security           for inviting us to talk about #SBOM #DevSecOps and the upcoming challenges form the security point of view. @Jan will address the challenges around generating SBOMs, how to tackle it on the automation side in his talk “Getting the SBOM right, and then?”. Further on the talk will address thoughts on the life cycle perspective, what comes after the SBOMs creation. It also will also report about the work the #LinuxFoundation #OpenChain Automation work group is performing as well as invite to a new sort of SBOM user group, outlining best practises on defining SBOMs.
Looking forward having great conversations and learn even more about the challenges you are facing while creating SBOMs in the IIOT world.

C U there!

Gleaning

(22.11.22) Thank you very much for the kind hosting and the gerat exchange to all other speakers and participants at the IIOT SBOM. It has been great to learn about your demands and thoughts. Looking forward talking to you further. All speeches have been recorded and are avialble at the IIOT SBOM website. Jan’s talk we linked here.

It is split into two sections due to coordination with some speakers from different time zones. However, the first part addresses the SBOM and its contents. What should go in, what is a suitable format and what are the benefits of producing SBOMs (besides compliance with regulatory requirements). The second part addresses SBOM creation automation, transfer a few experiences from the legal SBOM design and spins a few thoughts on what you may do with SBOMs whilst they are around.


TrustSource and SCANOSS will work closer in supporting Open Source Compliance

TrustSource und SCANOSS will work closer in supporting Open Source Compliance

In the run-up to the Open Source Summit Europe 2022, SCANOSS – provider of probably the largest database for open source information – and TrustSource – the automation solution for processes in the area of open chain security and compliance – have agreed to cooperate more closely in the future.

The OpenChain Tooling Workgroup has been developing the Open Source Compliance Capability Model over the last months. This model describes the different competences and skills required for a comprehensive handling of open source compliance. “SCANOSS has standardised >snippet scanning< with the first Open Source solution, which has been broadly adopted by Open Source communities like, e.g. OSS Review Toolkit”, reports Jan Thielscher, who is currently coordinating the workgroup. “This is exactly the area we (TrustSource) have been avoiding so far due to its complexity. Working closer with SCANOSS, we will be able to offer our customers access to their incredible information base. This helps to close the last white spot on our capability map by adding the snippet and export restrictions aspect.”

Currently, it is already possible to import scan results generated using the SCANOSS Workbench or SCANOSS CLI into TrustSource and thus follow up the findings in the compliance process managed by TrustSource. ScanOSS users are thus given the opportunity to not only have results available in the form of an audit result, but to integrate them into the regular context of a company-wide compliance management. TrustSource users will initially benefit from the ability to use the additional insights provided by SCANOSS. In the near future, the extended insights such as export controls, etc., which SCANOSS can provide, will also be available to manage or monitor compliance with in TrustSource.

“That will round things off,” says Jan Thielscher. “Of course, insufficient metadata, undeclared licences or unclear commit situations continue to pose challenges for OSPOs, but the majority of the tasks can already be automated thanks to the high level of integration and the many reports that are available due to the high level of integration. And that’s where the immense efficiency gain can be realised!”

Meet us at the Open Source Summit in Dublin @ B.19

Learn more about the Open Chain Tooling Workgroup Capability Model, TrustSource and how much process automation is already available in the area of open source compliance.


Free Open Source Compliance Training

For years, the same questions have arisen again and again in the context of open source:

  • Am I allowed to use open source in applications used for business purposes?
  • What are the consequences of using open source?
  • Is the GPL a “toxic” license?
  • What do the American licenses mean for us in Europe?

The irritation hits developers in particular, who are confronted with the use or deployment of open source in the front line. Now, computer scientists are rarely also lawyers, and even if law and computer science are similar in many aspects, it is not trivial to interpret a license without prior legal knowledge.
To help overcome this gap, we have provided a basic Open Source Compliance – Training. The training introduces the topic, briefly describes the background and gives insight into the essential aspects of licenses. More than 4 hours of video material, presentations and quizzes have been incorporated into the freely available, self-paced online training course.

In the course the participant gets an overview of:

  • The motivation and background of open source compliance,
  • The challenges that make open source compliance more than just making a list,
  • Solution concepts that help to anchor standard compliant open source compliance in an organization.

The presentations, held in English, are divided into small, short bites, so that they can be easily consumed in between online meetings or in short doses at the beginning of each day.
Direct access can be found here on the Trainings page.


Why does a license matter?

“If someone is publishing his stuff on Github he must accept that it will be used by others!””

Unfortunately we still hear this critical misunderstanding often while finding open source components buried somewhere in source code; without any furtehr declaration of course. Let’s send a few words to discuss this in more detail.

In our western world protection of intellectual property is a high value. The believe that an inventor shall profit from his achievements has been accepted as the driving force of behind our wealth and developed status. That is why it has been protected by intellectual property laws. This insight counts some years already and meanwhile has been established and harmonized internationally through the Berner Convention.

Governing thought has been, that an inventor or creator of a work always will own all rights of usage, modification and all kinds of distribution. This is always valid for a certain period of time after the work has been created. Theperiod depends on the work.

An inventor or creator may transfer his rights to others. The typical form of this transfer is a license.

Without a license, all rights remain with the creator for his protection!

If no license exists, for the protection of the creator, all rights will be assumed as not transferred. Therefor each user of a component without license starts walking on ice. In general nothing might happen immediately. But who knows what will be in the future? Success might make jealous, motivations might change over time. Happy times for all of those, who own a license they may rely on!

But not only that there might be some contributors of open source software getting nasty. There is another relevant aspect of licenses. They also clarify the terms when the right to use is transferred. this will protect you from a usage without right.

In our hemisphere the usage of protected works without right is assumed a criminal act. This might not only cause immense financial damages due to call backs or branding impacts. But also a criminal investigation might be caused.  In some countries this does not even require a plaintiff. This role will be taken by the prosecutor automatically triggered by a suitable  evidence, irrelevant of the source (competition, former employee, original inventor).

To prevent all kinds of damage, it is highly recommended to ensure the availability of and conformity with a license!

To prevent damage, it is highly recommended to avoid using components without a license. But to achieve this, it is essential to know what has been used to build the software and what are the resulting obligations.

TrustSource has been developed to automate this task. Applying the automated scanning you may detect early which components are used and which licenses – or even no licenses – are related.

Our architects may help you to manage critical cases  or identify alternative solutions. Do not wait, start right now in creating transparency!