Posted by on Friday, June 4th, 2021

Synopsys can measure the maturity of security activities within an open source management framework in compliance with the OpenChain standard and ISO/IEC 5230:2020.

Today, we are proud to announce the expansion of the partnership between Synopsys and the OpenChain project to include third-party certification. The OpenChain Project already recognizes the open source expertise of Synopsys in both the service provider and vendor space. This latest recognition ensures that Synopsys participates in and continuously aligns to the OpenChain Project and ISO/IEC 5230 compliance specification.

• The Synopsys open source framework continually aligns with OpenChain specification (current version 2.2.1)
• The OpenChain compliance assessment questionnaire is provided as a client deliverable during assessment in effort to promote the OpenChain standard and ISO/IEC 5230:2020

The ubiquity of open source

Security and development teams realize that open source software provides the foundation for the vast majority of applications across all industries. This point is underscored by the Synopsys “Open Source Security and Risk Analysis” (OSSRA) report, which provides an annual assessment of the current state of software and security. In the 2021 OSSRA, of the 1,500+ applications audited, 75% of the codebases were composed of open source. Given this expansive presence of open source components, it’s vital to implement an adequate open source management program.

As a leader in open source security and compliance management, Synopsys Black Duck® provides the capabilities, support, and automation required to supplement today’s modern DevSecOps environments. This includes Black Duck Binary Analysis (BDBA), which quickly generates a complete software Bill of Materials (BOM) that tracks third-party and open source components, and identifies known security vulnerabilities, associated licenses, and code quality risks. And Black Duck KnowledgeBase provides the component-level context that enables organizations to identify licenses and find and assess legal risks.

About the OpenChain Project and ISO/IEC 5230

The OpenChain Project maintains the International Standard for open source license compliance. The OpenChain Project in combination with ISO/IEC 5230:2020 specifies the key requirements of a quality open source license compliance program in order to provide a benchmark that enables trust between organizations exchanging software solutions composed of open source software.

“OpenChain and ISO 5230 provide a framework for managing the ingestion, internal management, and deployment of open source software,” said Shane Coughlan, OpenChain general manager. “The key focus of the International Standard relates to open source license compliance, but it is also used in other contexts according to business needs. An important aspect of using OpenChain and ISO 5230 in the supply chain is in supplier relationships, and we see an increasing number of customer companies preferring or requiring use of the standard in the product and service pipelines. Some companies opt to self-certify to the standard, and some opt to obtain third-party certification. We are delighted to welcome Synopsys as our third global third-party certifier, offering increased industry coverage and options to the market as a whole.”

The OpenChain mission is to establish requirements to achieve effective management of open source for software supply chain participants, such that the requirements and associated collateral are developed collaboratively and openly by representatives from the software supply chain, open source community, and academia.

OpenChain has established a governance model that provides long-term support for the current work of the OpenChain work group, and supports the vision of a supply chain in which open source is delivered with trusted and consistent compliance information.

The Synopsys approach to open source compliance

The Synopsys approach focuses on establishing an effective oversight program that defines the strategy and governance of open source consumption and contribution. Utilizing metrics and reporting in combination with awareness initiatives, we evaluate clients on their ability to effectively discover, manage, and review and approve open source code in their environments. Evaluations are also performed on inbound third-party software and outbound distributed components or applications, as well as on external and internal development teams.

The impacts of open source licensing include legal obligations, security vulnerabilities, and management of support when open source projects are no longer maintained. Synopsys effectively measures the maturity of activities within an open source management framework, in compliance with the OpenChain standard, ISO/IEC 5230:2020, and a common set of industry standards, and then provides tailored recommendations. These recommendations are used to establish a roadmap to the target state of open source maturity.