Software composition and dependency management

How OSPOs can help secure the software supply chain

D.dependency
Ana Jimenez Santamaria
<p>Legal Risk Mitigation is one of the three main functions of an <a href="https://github.com/todogroup/ospodefinition.org">OSPO</a> (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:</p> <ul> <li>Maintaining open source license compliance reviews and oversight</li> <li>Running a review process for inbound code use</li> <li>Ensuring that the company contributes back to open source projects effectively</li> </ul> <p>To a certain degree, any organization calling itself an OSPO likely indicates the organization has reached a maturity stage where Executive-level recognition that OSS is an important strategic asset and builds a critical mass of processes, procedures, and tools to streamline and facilitate open source consumption and participation across divisions. Indeed, these activities also include a wide range of software composition analysis solutions such as Software Bill of Materials (SBOM), license management scanning, or continuous monitoring tools.</p> <p>While some OSPOs rely on Software composition analysis vendors like Synopsys and Tidelift, others decide to make their own built-in solutions. During this presentation, Ana Jimenez, PM at <a href="https://todogroup.org/members/">TODO group</a> (an open community of organizations who run OSPOs worldwide), will introduce the evolution and expansion of OSPOs over the years from a supply chain perspective, some of the common SCA tooling used, as well as how OSPOs can contribute and nurture the <a href="https://landscape.todogroup.org/card-mode?category=sca&amp;grouping=category">ecosystem of SCA tools</a> to adapt to the needs of the different industries.</p>

Additional information

Type devroom

More sessions

2/6/22
Software composition and dependency management
D.dependency
<p>The devroom intro by devroom organization team!</p>
2/6/22
Software composition and dependency management
Philippe Ombredanne
D.dependency
<p>Package URLs are a compact way to identify software packages across multiple ecosystems. Together with the new "vers" Version Range Specifier, these two mini specs will offer a new way to create new, mostly universal dependency resolvers and installers, working across ecosystems.</p>
2/6/22
Software composition and dependency management
Pierre Marty
D.dependency
<p>This talk aims at presenting our trials and tribulations as well as our achievements in designing a compliance software project for open source licenses.</p> <p><em>"Are all module licenses in our software project compliant with each other ?"</em> Many of our customers have asked us this question even though they already had a plethora of software solutions (not always FOSS software) dealing with this topic. This surprised us, and led us to seek out the cause of their uncertainty. We then ...
2/6/22
Software composition and dependency management
Kouki Hama
D.dependency
<p>The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.</p>
2/6/22
Software composition and dependency management
Maximilian Huber
D.dependency
<p>Granted that software composition and dependency processing are very relevant for software engineering. The presentations have pointed out how such processing is embedded into activities of an organization. We would like to gather feedback about how the current status of adoption and integration looks like.</p>
2/6/22
Software composition and dependency management
D.dependency
<p>break</p>
2/6/22
Software composition and dependency management
Marta Rybczynska
D.dependency
<p>A Linux distribution is a great playing field for testing tools for vulnerability scanning. It is even a better playing field if it includes more operating system kernels, like the Eclipse Oniro project does. Eclipse Oniro targets the Internet of Things (IOT) domain, where fixing security issues is critical.</p> <p>In this talk, Marta is going to present a return on experience of scanning for known vulerabilities (CVEs) in the Eclipse Oniro project. The presentation is going to start with an ...