Giving Everyone Access To Open Source Best Prac8ces

Similar documents
FOSS Training Reference Slides for the OpenChain Specification 1.1

CURRICULUM. FOSS Training Reference Deck, Version 2 FINAL DRAFT Designed for the OpenChain Specification 1.0

CURRICULUM. Core FOSS Compliance Version 1 Designed for Version 1 of the OpenChain Specification

This slide is relevant to providing either a single three hour training session or explaining how a series of shorter sessions focused on per chapter

Conformance Handbook for OpenChain Specification 1.1

OpenChain Conformance 2016-H1 Specification

OpenChain Specification Version 1.3 (DRAFT)

OpenChain Conformance 2016-H1 Conformance Check

OpenChain Specification Version 1.2 pc6 (DRAFT) [With Edit Markups Turned Off]

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Information Security Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

EXAM PREPARATION GUIDE

Apex Information Security Policy

EXAM PREPARATION GUIDE

ISO27001:2013 The New Standard Revised Edition

Evolving Compliance Needs in Acquisitions Case Study

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Overview. Business value

Legal notice and Privacy policy

Choosing the Right Solution for Strategic Deployment of Encryption

SolarWinds Trademark and Copyright Guidelines

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Best Practices for PCI DSS Version 3.2 Network Security Compliance

The GDPR toolkit. How to guide for Executive Committees. Version March 2018

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Convergence of BCM and Information Security at Direct Energy

INFORMATION SECURITY AND RISK POLICY

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

SECURITY & PRIVACY DOCUMENTATION

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

April 17, Ronald Layne Manager, Data Quality and Data Governance

GDPR compliance: some basics & practical to do list

THE TRUSTED NETWORK POWERING GLOBAL SUPPLY CHAINS AND THEIR COMMUNITIES APPROVED EDUCATION PROVIDER INFORMATION PACK

HIPAA Compliance Checklist

Security Policies and Procedures Principles and Practices

01.0 Policy Responsibilities and Oversight

Bring Your Own Device. Peter Silva Technical Marketing Manager

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

National Wood Products, Inc. FSC Chain of Custody NWP CENTRAL OFFICE Standard Operating Procedure REVIEW DATE: August 17, 2013

How to Secure Your Cloud with...a Cloud?

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

MEDIA KIT. technology. transfer. Market Your Products and Services to 94,000 Technology Transfer, IP, Licensing and Research Professionals.

A Practical Guide to Efficient Security Response

Policy for Manufacturers to Maintain Compliance Within the Material Health Certificate Scheme. Version 1.1. January 2015

Education Network Security

Website ADA Compliance Made Easy: How to Respond to Legal Demand Letters or Avoid Them, Altogether.

Data Security and Privacy Principles IBM Cloud Services

Information Security Incident Response Plan

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

FIVE BEST PRACTICES FOR ENSURING A SUCCESSFUL SQL SERVER MIGRATION

Technical Trust Policy

WiMAX Forum Trademark Policy and Trademark Usage Guidelines Part 1 WiMAX. Adopted March 27, 2007; Amended September 6, 2007

NSF Data Management Plan Template Duke University Libraries Data and GIS Services

Policy for Certification of Private Label Products Within the Cradle to Cradle Certified Certification Scheme. Version 1.0.

The Common Controls Framework BY ADOBE

Understanding my data and getting value from it

MasterCard NFC Mobile Device Approval Guide v July 2015

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Acceptable Use Policy

Managing Your Record Retention Policy Safely

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

This procedure sets out the usage of mobile CCTV units within Arhag.

CERTIFICATE POLICY CIGNA PKI Certificates

EXAM PREPARATION GUIDE

Workday s Robust Privacy Program

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)

Automating the Top 20 CIS Critical Security Controls

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

EXAM PREPARATION GUIDE

Standard: Risk Assessment Program

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Acceptable Use Policy

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

Scientific Working Group on Digital Evidence

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

Symantec Data Center Migration Service

Accessibility of Web

Public vs private cloud for regulated entities

ARCHIVE ESSENTIALS

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 1: Processes and tiered assessment of conformance

HPE DATA PRIVACY AND SECURITY

Consumer Protection & System Security Update. Bill Jenkins and Cammie Blais

Checklist: Credit Union Information Security and Privacy Policies

Take control of your e-discovery process. Increase efficiency, reduce risk and keep costs in line with an integrated solution.

Advent IM Ltd ISO/IEC 27001:2013 vs

SAP Security Remediation: Three Steps for Success Using SAP GRC

Continuously Discover and Eliminate Security Risk in Production Apps

EXAM PREPARATION GUIDE

Progress and challenges with the establishment of MRV system in African Countries

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Data protection. 3 April 2018

Transcription:

Giving Everyone Access To Open Source Best Prac8ces OpenChain Project - The Linux Founda8on Available under the CC ACribu8on-NoDeriva8ves 4.0 Interna8onal license.

The value of open source is efficiency: 1. Efficient code crea8on 2. Efficient code support 3. Efficient code evolu8on 2

Open source license compliance is an opportunity for efficiency. 3

Open source license compliance reduces: 1. Legal and reputa8on risk 2. Costs of custom process management 3. Costs related to compliance viola8ons 4

Many companies do a great job of reducing this inefficiency internally. 5

However, most companies rely on a supply chain. 6

We can significantly improve efficiency around open source license compliance in the supply chain. 7

OpenChain Project addresses the ques8on of how do I trust open source compliance in my supply chain? 8

More Trust = More Collabora8on = More Efficiency. 9

There are three parts to OpenChain Project: 1. Specifica8on 2. Conformance 3. Curriculum 10

The OpenChain Specifica8on defines a core set of requirements every quality compliance program must sa8sfy. Learn more here: hcps://www.openchainproject.org/spec 11

OpenChain Conformance allows organiza8ons to display their adherence to these requirements. Learn more here: hcps://www.openchainproject.org/conformance 12

The OpenChain Curriculum provides the educa8onal founda8on for open source processes and solu8ons. Learn more here: hcps://www.openchainproject.org/curriculum 13

Digging Deeper 14

The core of the OpenChain Curriculum is a reference deck to help people meet the requirements of the OpenChain Specifica8on. 15

The deck can also be used for general training. 16

The deck is not intended to cover everything. 17

It is intended to be a useful star8ng point. 18

Contents 1. What is Intellectual Property? 2. Introduction to FOSS Licenses 3. Introduction to FOSS Compliance 4. Key Software Concepts for FOSS Review 5. Running a FOSS Review 6. End to End Compliance Management (Example Process) 7. Avoiding Compliance Pitfalls 8. Developer Guidelines

What is Intellectual Property? Copyright: protects original works of authorship Protects expression (not the underlying idea) It covers software, books, and similar works Patents: useful inventions that are novel and non-obvious Limited monopoly to incentivize innovation Trade secrets: protects valuable confidential information Trademarks: protects marks (word, logos, slogans, color, etc.) that identify the source of the product Consumer and brand protection; avoid consumer confusion and brand dilution This chapter will focus on copyright and patents, the areas most relevant to FOSS compliance.

Check Your Understanding What type of material does copyright law protect? What copyright rights are most important for software? Can software be subject to a patent? What rights does a patent give to the patent owner? If you independently develop your own software, is it possible that you might need a copyright license from a third party for that software? A patent license?

CHAPTER 6 End to End Compliance Management (Example Processes)

Example Small to Medium Company Checklist Ongoing Compliance Tasks: 1. Discover all FOSS early in the procurement/development cycle 2. Review and Approve all FOSS components used 3. Verify the information necessary to satisfy FOSS obligations 4. Review and approve any outbound contributions to FOSS projects Support Requirements: 1. Ensure adequate compliance staffing and designate clear lines of responsibility 2. Adapt existing Business Processes to support the FOSS compliance program 3. Have training on the organization s FOSS policy available to everyone 4. Track progress of all FOSS compliance activities You can get detailed checklists for these items here: https://www.linuxfoundation.org/projects/opencompliance/self-assessment-compliance-checklist

Example Enterprise Process Review and approve compliance record of FOSS software components Compile notices for publication Post publication verifications Queued for Process Own Proprietary Software 3 rd Party Software FOSS Identification Audit Resolve Issues Reviews Approvals Registration Notices Verifications Distribution Verifications Outgoing Software Notices & Attributions Written Offer Identify FOSS components for review Scan or audit source code and Confirm origin and license of source code Resolve any audit issues in line with company FOSS policies Record approved software/version in inventory per product and per release Verify source code packages for distribution and Verify appropriate notices are provided Publish source code, notices and provide written offer Example of Compliance Management End-to-End Process

CHAPTER 7 Avoiding Compliance Pitfalls

Intellectual Property Pitfalls Type & Description Discovery Avoidance Unplanned inclusion of copyleft FOSS into proprietary or 3rd party code: This type of failure occurs during the development process when engineers add FOSS code into source code that is intended to be proprietary in conflict with the FOSS policy. This type of failure can be discovered by scanning or auditing the source code for possible matches with: FOSS source code Copyright notices Automated source code scanning tools may be used for this purpose This type of failure can be avoided by: Offering training to engineering staff about compliance issues, the different types of FOSS licenses and the implications of including FOSS in proprietary source code Conducting regular source code scans or audits for all the source code in the build environment.

Check Your Understanding What types of pitfalls can occur in FOSS compliance? Give an example of an intellectual property failure. Give an example of a license compliance failure. Give an example of a compliance process failure. What are the benefits of prioritizing compliance? What are the benefits of maintaining a good community relationship?

CHAPTER 8 Developer Guidelines

Developer Guidelines Select code from high quality, well supported FOSS communities Seek guidance Request formal approval for each FOSS component you are using Do not check un-reviewed code into any internal source tree Request formal approval for outside contributions to FOSS projects Preserve existing licensing information Do not remove or in any way disturb existing FOSS licensing copyrights or other licensing information from any FOSS components that you use. All copyright and licensing information is to remain intact in all FOSS components Do not re-name FOSS components unless you are required to under the FOSS license (e.g., required renaming of modified versions) Gather and retain FOSS project information required for your FOSS review process

Check Your Understanding Name some general guidelines developers can practice when working with FOSS. Should you remove or alter FOSS license header information? Name some important steps in a compliance process. How can a new version of a previously-reviewed FOSS component create new compliance issues? What risks should you address with in-bound software? Learn more through the free Compliance Basics for Developers hosted by the Linux Foundation at: https://training.linuxfoundation.org/linux-courses/open-source-compliance-courses/ compliance-basics-for-developers

We also have a GitHub repository with more material: hcps://github.com/openchain-project/curriculum 19

Everything is Crea8ve Commons 0 (public domain). 20

This means the knowledge can be used, shared, remixed and incorporated anywhere in any way. 21

We are always looking for dona8ons of material or 8me to improve our curriculum. 22

Let s Talk Shane Coughlan coughlan@linux.com +818040358083 www.openchainproject.org 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback