Revision 1
2022-10-15
The OpenChain Security Assurance Specification is intended to identify and describe the key requirements of a quality Security Assurance Program in the context of using Open Source Software. It focuses on a narrow subset of primary concern: checking Open Source Software against publicly known security vulnerabilities like CVEs, GitHub/GitLab vulnerability reports, and so on.
You can adopt the OpenChain Security Assurance Specification by self-certification in your own time or working with a service provider for independent assessment or third-party certification. Our recommended path is self-certification and we provide this document to support this with a series of "yes" or "no" statements. If you can answer "yes" to everything, you are self-certified. If you answer "no" to some items, you know where to invest further time to build a quality program.
We have a lot of resources to support you if you need assistance. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language. You can get started here:
[https://www.openchainproject.org/community]{.underline}
Finally, if you want direct support from the project you can email [info@openchainproject.org]{.underline} with questions. We provide support for free. The OpenChain Project is funded by our Platinum Members and is designed to help support the global supply chain transition to more effective and efficient open source license compliance.
Do you have a documented policy governing the open source security assurance of Supplied Software?
- Yes
- No
Do you have a documented procedure to communicate the existence of the open source policy to all Software Staff?
- Yes
- No
Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program?
- Yes
- No
Have you identified and documented the competencies required for each role?
- Yes
- No
Have you identified and documented a list of Program Participants and how they fill their respective roles?
- Yes
- No
Have you documented the assessed competence for each Program Participant?
- Yes
- No
Do you have a way to document periodic reviews and changes made to the processes?
- Yes
- No
Do you have a way to verify that the processes align with current company best practices and staff assignments?
- Yes
- No
-
Have you documented the open source security assurance policy and made sure Program Participants are aware of where to find it?
-
Yes
-
No
-
Have you documented relevant open source objectives and made sure Program Participants are aware of where to find them?
-
Yes
-
No
-
Have you documented contributions expected to ensure the effectiveness of the Program and made sure Program Participants are aware of this?
-
Yes
-
No
-
Have you documented the implications of failing to follow the Program requirements and made sure Program Participants are aware of where of this?
-
Yes
-
No
Do you have a written statement clearly defining the scope and limits of the Program?
- Yes
- No
Do you have a set of metrics to measure Program performance?
- Yes
- No
Do you have Documented Evidence from each review, update, or audit to demonstrate continuous improvement?
- Yes
- No
Do you have a method to identify structural and technical threats to the Supplied Software?
- Yes
- No
Do you have a method for detecting existence of Known Vulnerabilities in Supplied Software?
- Yes
- No
Do you have a method for following up on identified Known Vulnerabilities?
- Yes
- No
Do you have a method to communicate identified Known Vulnerabilities to customer base when warranted?
- Yes
- No
Do you have a method for analyzing Supplied Software for newly published Known Vulnerabilities post release of the Supplied Software?
- Yes
- No
Do you have a method for continuous and repeated Security Testing is applied for all Supplied Software before release?
- Yes
- No
Do you have a method to verify that identified risks will have been addressed before release of Supplied Software?
- Yes
- No
Do you have a method to export information about identified risks to third parties as appropriate?
- Yes
- No
Do you have a method to allow third parties to make Known Vulnerability or Newly Discovered Vulnerability enquires (e.g., via an email address or web portal that is monitored by Program Participants)?
- Yes
- No
Do you have an internal documented procedure for responding to third party Known Vulnerability or Newly Discovered Vulnerability inquiries?
- Yes
- No
Have you documented the people, group or functions related to the Program?
- Yes
- No
Have you ensured the identified Program roles have been properly staffed and adequate funding has been provided?
- Yes
- No
Have you ensured expertise available is to address identified Known Vulnerabilities?
- Yes
- No
Do you have a documented procedure that assigns internal responsibilities for Security Assurance?
- Yes
- No
Do you have a documented procedure ensuring all Open Source Software used in the Supplied Software is continuously recorded across the lifecycle of the Supplied Software? This includes an archive of all Open Source Software used in the Supplied Software.
- Yes
- No
Do you have open source component records for the Supplied Software which demonstrate the documented procedure was properly followed?
- Yes
- No
Do you have a documented procedure for handling detection and resolution of Known Vulnerabilities for the Open Source Software components of the Supplied Software?s
- Yes
- No
Do you have open source component records for the Supplied Software which track identified Known Vulnerabilities and action(s) taken (including even if no action was required)?
- Yes
- No
Do you have documentation confirming that the Program meets all the requirements of this specification?
- Yes
- No
Do you have documentation confirming that Program conformance was reviewed within the last 18 months?
- Yes
- No
Have you self-certified to this specification? Please let us know by emailing operations@openchainproject.org. We would like to add your organization logo to the OpenChain website. This is optional, but very useful for our work.