OpenChain is a scalable, flexible compliance programme, developed by the Linux Foundation. Based on well-understood compliance programmes such as ISO 27001, it maps existing supply-chain procurement and production practices from other sectors into software development. It provides a great foundation for businesses of all sizes to adopt appropriate practices and procedures in place to control development and supply chain risks, with particular emphasis on open source licence compliance. Already adopted by companies like Qualcomm, Siemens, Toyota and ARM, it’s rapidly becoming a procurement standard for open source and open-source-derived software. The speaker, Andrew Katz, has helped companies of all sizes to adopt open chain procurement practices, and presents case studies on the process and benefits.

1. Introducing OpenChain
A tested framework for open source
compliance.
Andrew Katz
www.moorcro0s.com

2. Finance Sector
Risk Management

3. Finance Sector
MIFID II

4. Finance Sector
MIFID II - Outsourcing

5. Finance Sector
MIFID II - Outsourcing

6. MIFID II
Outsourcing
“….avoid undue addiConal operaConal risk”
Art 16(5)

7. Managing Risk
• Passing to provider (contractually)
• Passing the risk to a third party (insurance)
• IdenCfying, minimising and managing risk

8. Managing Risk
• Passing to provider (contractually)
• Passing the risk to a third party (insurance)
• IdenCfying, minimising and managing risk (process)

9. SoNware-related risks
• FuncConality
• Security
• Licensing/IP

10. SoNware-related risks
• FuncConality
• Security
• Licensing/IP

11. SoNware-related risks
• FuncConality
• Security
• Licensing/IP

12. FuncConality
• Trusted source
• Quality assurance

13. Security
• Trusted source
• Quality assurance
• Pen-tesCng / fuzzing
• Linux FoundaCon Core Infrastructure IniCaCve
• SAFECode
• Tooling (BlackDuck, Flexera)

14. Licensing/IP
• Trusted source
• Licence compaCbility
• Tooling (BlackDuck, Flexera, Quartermaster…)

15. What if it all goes wrong?

16. Damages
InjuncCon
Outsourced provision ceases

17. Damages
InjuncCon
Outsourced provision ceases

18. Damages
InjuncCon
Outsourced provision ceases

19. CONTEXT

20. Modern
SoNware
Development

21. Assembling components

22. Code Club (Sandwich)
Choose a Framework

23. Choose a Framework
Write Custom Code
Code Club (Sandwich)

24. Choose a Framework
Write Custom Code
Use Open Source
Libraries to Solve Problems
Code Club (Sandwich)

25. Choose a Framework
Write Custom Code
Use Open Source
Libraries to Solve Problems
Open Source Code =~ 90%
Open Source Code (~ 70%)
Custom Code (~ 10%)
Open Source Code (~ 20%)
Code Club (Sandwich)
Thanks and acknowledgement to James Zemlin, The Linux Founda9on

26. Many different sources:
Sourceforge
GitHub
Maven Central Repository

27. Every component is
subject to copyright*

28. Every copyright work
can only be used if
correctly licensed*

29. => every component
must be properly
licensed

30. What happens if
components are not
correctly licensed?

31. Linksys WRT54G

33. Scenarios:
- Infringement claim
- Due diligence on IPO/funding acquisiCon
- Customer due diligence - e.g. MIFID
- Whole codebase inadvertently open
sourced
- Forced release of source code*

34. How do you demonstrate
compliance?

35. Code analysis
Licence analysis

36. A truism about due
diligence: it’s not so
much about the
informaCon, as the
process.

37. A truism about due
diligence: it’s not so
much about the
informaCon, as the
process.

38. CharacterisCcs of an
open source
compliance
programme:

39. 1. Verify that the
company is compliance
with licences
2. Put in place good
pracCces and
procedures

40. - open source policy
- training for relevant staff
- licence review policy
- responsibiliCes are idenCfied, roles empowered and funded
- bill of materials for products are generated
- open source programme handles common licence issues
- appropriate compliance materials are provided with the soNware
- there is a contribuCon policy for external projects

44. What is OpenChain?

45. The OpenChain
project addresses the
quesCon…

46. How do I trust FOSS
compliance in the
supply chain?

47. It’s:
a standard to describe
what organisaCons could
and should do to address
FOSS compliance
efficiently;

48. It:
idenCfies key
recommended processes
and record keeping
requirements for effecCve
FOSS management;

49. It:
builds trust and increases
efficiency, by having FOSS
processes and record
keeping consistent across
the supply chain

50. It consists of 3
components:
1.
2.
3.

51. It consists of 3
components:
1. SpecificaCon
2.
3.

52. It consists of 3
components:
1. SpecificaCon
2. Curriculum
3.

53. It consists of 3
components:
1. SpecificaCon
2. Curriculum
3. Conformance

54. SpecificaCon
…defines a core set of
requirements that
every compliance
program must sa9sfy.

55. SpecificaCon
…defines a core set of
requirements that
every compliance
program must sa9sfy.

56. Curriculum
…provides the
educa9onal founda9on
for FOSS solu9ons and
processes

57. Curriculum
…provides the
educa9onal founda9on
for FOSS solu9ons and
processes

58. Conformance
…the way an organisa9on
can demonstrate its
conformance with the
specifica9on

59. Conformance
…the way an organisa9on
can demonstrate its
conformance with the
specifica9on

60. Find out more at:
openchainproject.org/spec
openchainproject.org/curriculum
openchainproject.org/conformance

61. The aim:
to build trust, by crea9ng a
web of organisa9ons which
are conformant with the
OpenChain specifica9on

62. “There is nothing in the
OpenChain specifica9on
which well-run FOSS-
developing companies are
not likely to be doing
already.”

63. What does
conformance
require?

64. You need a FOSS
policy, and you need
to show that relevant
staff know about it
and have access to it.

65. Relevant staff need training in
- your FOSS policy,
- basic licensing law, concepts
and principles,
- internal roles and
responsibiliCes

66. You must have a process to…
- establish the appropriate
licence for each component used
- determine the restricCons and
obligaCons applicable to each
licence

67. You must have appointed someone
with responsibility for
- FOSS liaison (external)
- FOSS compliance (internal)
…and the roles must be sufficiently
senior, and properly resourced.

68. You must have a process to…
- create and establish a bill of
materials for relevant soNware;
and
- ensure that the licences etc. for
each item are correctly assigned

69. Your licence management
processes must idenCfy and
deal appropriately with
common FOSS use cases (e.g.
copyleN, modified code,
licence incompaCbility)

70. You must have prepared the
appropriate materials
accompanying a distribuCon of the
soNware to ensure compliance with
the licences, such as source code,
offer noCces, asribuCons,
NOTICE.TXT, licence text

71. You must have a policy
covering contribuCons
by the organisaCon to
FOSS projects.

72. You must cerCfy that
you comply with the
specificaCon’s
requirements.

73. You can self-cerCfy, but
as the OpenChain project
evolves, we expect
organisaCons to seek
external, independent
verificaCon.

74. Roadmap….
- members will encourage/prefer/
require compliance from suppliers
- eases supplier due diligence
- standardises availability of
compliance documents
- warranty of compliance
- virtuous circle

75. CASE STUDIES

76. SoNware company selling cloud services to pension providers
Their regulated clients require DD on the code as part of their
own risk management.
They are now able to provide those clients with the materials
required by OpenChain cerCficaCon
20 developers, c100 different packages.

77. SoNware company providing sector-specific SaaS soNware to a verCcal
market
2000 components in code
200 developers
Introducing Black Duck to handle compliance
Internally generated need, but starCng to get quesCons from customers.
Ongoing

78. B2M SoluCons
Providing management soNware and services to help
companies manage their estate of mobile devices
Customers include big UK companies, and resellers include
Japanese mobile device providers (already OpenChain
members)
Manual compliance: <100 components, around 15
developers.

79. SUMMARY

80. Open source is widespread
Infringement risk is an important consideraCon in
compliance, procurement and M&A
Risk can be assessed by analysing code and
licensing
Risk can be managed by implemenCng a sensible
open source inclusion and use policy - such as
OpenChain
AdopCng OpenChain conformance will increase
efficiency in the supply chain.

81. OpenChain provides the framework for compliance:
other projects address specific pracCcal compliance
issues:
SPDX - licence taxonomy
SW360 - licence compliance project and catalogue
management
FOSSology - licence and asribuCon text scanning and
management
Quartermaster - dynamic tooling for licence
compliance

82. moorcrofts.com
orcro.co.uk
www.openchainproject.org