TrustSource helps you to solve the Open Source Security,
Compliance and SBOM challenges
See how simple compliance can be using TrustSource
Software Composition Analysis
To get maximal effect, scan your Software during build time and resolve all contained open source components. Therefore TrustSource provides a plethora of free and open source scanners. We are also able to interact with most 3rd party open source scanning tools.
Enrich the SBOM
Fully automated, our platform will compare the scanned SBOM information with existing knowledge about over 200 mil. components, existing clearing information and Known Vulnerabilities. With a button click, TrustSource automatically assess components and their dependencies on file level to determine effective licenses, copyright holders or used encryption algorithms.
Assess legal
Based on all this gathered information and your project / solution requirements, the legal solver automatically assess all identified licenses to derive legal rights, obligations and identify potential violations. Hints on how to resolve will be provided as well.
Resolve Obligations and Fixes
Integrations with Github issues, Jira or Azure DevOps allow for a simple followup of todos, so that you easily can track the progress on changes, upgrades or further information collection. Decisions on risk acceptance or between alternatives can be recorded for later assessments and accountability.
Approve and Release
Given everything looks fine, all signals are green, you may launch the solution. Freeze the state of all decisions for later assessments. Approvals also will be recorded. But not only the go also the conditions under which the decision has been made will be part of the record. There is no simpler way to transparency.
Generate Documentation
Finally document what you have done. TrustSource is able to auto-generate the required legal documentation such as Notice-Files or SOUP lists. A ToDo-Navigator helps you to complete the documentation where necessary. Documentation can be downloaded or shared online. QR codes allow even to reference the documentation for devices without monitor.
There is much more to it:
Portfolio overview (see the state of your portfolio and drill down to issues),
lifetime vulnerability alerts, export controls support…
Learn more!
Which Capabilities should a State of the Art Open Source Security and Compliance solution cover?
Prerequisite to all other steps is to know what you are dealing with. SCA is assessing the software of concern. This should comprise self developed, given open source, docker files and 3rd party, e.g. binaries)
Whatever you find, you will have to note it down. Two standards to exchange such information have emerged: Software package data exchange or SPDX, an ISO standard developed by a working group of the Linux Foundation, and Cyclone DX, an OWASP led initiative with a more lightweight approach to describe software meta data.
Your solution should be able to import / read and visualise such files as well as export your curated data accordingly.
It is absolute essential to determine the rights and obligations associated with the licenses according to the SBOM. This must not only happen on a general base but in the individual usage context. Based on a different business model or changed IP requirement, the same solution might require different obligations. This should be identifed and resolved by the legal engine powering the solution.
For all used open source it should be possible to match Known Vulnerabilities, whether just in development or already in the field. Especially for older versions it will become a challenge to manage and maintain different versions across the lifecycle. TrustSource supports these efforts and helps you to manage not only vulnerability alerts for older SBOMs but also allows you to manage VEX and CSAF documents.
To ensure a proper processing for corporates organised by division of work, it is a pre-requisite to automate approval processes with workflow support. On the one hand you pressure to deliver and demand for precision are competing interests, which never will be resolvable for a single person. On the other hand the competence to develop and the competence to judge the legal or security status are two different animals. Approval flows and distribution of responsibilities should be supported to ensure the longterm success of your solution.
To secure the work and create accountability an overarching user and role management is key. Neither should everybody in the organisation see everything nor should it be possible for everyone to grant approvals. If granted, they should be traceable. Without personal accountability your compliance approach will flop
Finally the goal is to create a sound Notice File. This creation should be supported, and as far as possible, automated to save your developer’s time. Checklists on what needs to be done to complete the finalisation of a Notice File should be supported to ensure proper delivery. In addition, a good version management and publication support, even for systems without UI, should not be missing.
Today’s environments are highly integrated. Thus, it is a key feature to provide as much of the functionality through API as possible. The scanning and approval process could be integrated with other tools and solutions of your DevOps Cycle. A sound and secure API mangement is essential to protect your software supply chain from bad actors messing around with it.
TrustSource Platform serves you all capabilities at no setup efforts
Learn more about the platform and the concepts behind it from this OpenChain Partner speech…
Analyse Composition
Assess repositories, dependencies or docker files to understand the composition of your software and derive an SBOM.
Process Tasks
Push tasks and to-fix-requests directly into your team's workflows, record decisions and circumstances for audit.
Assess Legal
Assess identified software for meta data and facts, derive legal consequences, trade secret and other IP implications
Approve Releases
Approve based on sound reports and current analysis. Feel assured having taken into consideration every aspect.
Protect
Get alerts about Known Vulnerabilities or actively applied exploits (CISA), see current status across your complete portfolio.
Generate Documentation
Auto-generate documentation, whether SOUP list, crypto-algos or Notice File, get all support and automation in finalizing your paperwork.
Want to learn more about how to set up an OSPO or your Open Source Compliance Programme?
It is simpler than you think. Follow our 5 step guide and become compliant within only a few days. Why waiting?
Frequently asked questions
TrustSource provides all tools and services as open source for your own setup. An integrated and fully managed version is available under a subscription based model. In addition you may choose to outsource your Open Source Programme Office, which comes at an additional charge. Contact our sales team for an indication.
By subscribing to the managed service you will also get access to the support and all sorts of updates. Here we offer different options: a teams, a corporate and an enterprise solution. The teams solution is available for free to open source projects. All types offer the core functionalities required for modern open source compliance. The corporate and enterprise versions add services in managing SBOMs at scale, managing user access via Active Directory or providing additional portfolio management capabilities.
Besides this, there is a usage based component. TrustSource is designed to allow automation and thus, provides an extensive API. Each subscription type includes a certain amount of transactions per month. Additional transaction packages can be purchased upon demand. Pricing depends on the subscription type.
Most of the tools and solutions that make the TrustSource suite are available to the public as open source. So you may work with them and host them by yourself. The key benefits of a subscription are the integration provided by the management solution and the managed hosting. Managing compliance at scale requires a certain co-ordination and transparency. TrustSource provides all this in a one stop solution. You subscribe and start using. No installation, no setup, just apply.
In addition, you will get access to an experienced support team, which may help you to successfully resolve potentially blocking issues or resolve complex topics. Also we provide online training courses, which can be used to educate your developer teams and increase awareness for the topic throughout your organisation. There is even the option to integrate your own training videos to train your individual policies. Just reach out to arrange a call.
Sure! Just register and start right away, the first 4 weeks will always be counted as a trial and be without charge. You also may contact our sales and let them set up a trial period for you. Depending on your goals and organisation size, our sales team will help you to identify the correct steps or a suitable testing approach. Especially due to the different roles required to run the workflow tests, a test setup might not be trivial. Thus, we recommend to identify the best approach for you together.
There is not much risk involved with the use of TrustSource. No code will ever be transferred to TrustSource. Our scanners are all open source, so you can see, what they do and what they transfer. The TrustSource service protects your data with MFA secured access, encryption at rest, continuous surveillance of the application and secured APIs. To get an in depth view, have a look at our Shared Security Responsibility Model (SSRM), where we outline the distribution of responsibility as well as our security measures.