When bringing in Open Source Software there is always that lingering concern about the licenses, what kind of legal risks could be brought in with the intake, and about the software constructs themselves, which security flaws and vulnerabilities could be built in when incorporating Open Source software with your solution. Thankfully, there are ways and means to reduce and handle those potential risks which were presented in two webinars by members of the Industrial Open Sorce Network.
On June 3rd the focus was on Linux Foundation’s OpenChain Project which defines the key requirements of a quality Open Source Compliance Program.
During the webinar Shane Coughlan, OpenChain Project, held an introduction on OpenChain followed by Jonas Öberg from Scania who talked about how OpenChain shaped Scania’s Open Source Program. Carl-Eric Mols, Addalot held a presentation about experiences form Sony Mobile.
A week later, on Wednesday June 10th, the focus was shifted to SW Security and Vulnerabilities aspects and how to handle those at the point of an intake and/or a continuous integration inflow of Open Source.
Martin Hell, LTH and Debricked gave a brief overview of some software security maturity models and discuss how the HAVOSS model can be used for open source software security. Stefan Andersson, Axis, talked about security at Axis and their thoughts on open source security. The webinar ended with a presentation from Emil Wåreus, Debricked about the ways Debricked tackle some specific challenges with community generated vulnerabilities using machine learning, as well as a short introduction to dependency vulnerability management.
The webinars both endend with a Q&A moderated by Nicolas Martin-Vivaldi, Addalot who is the coordinator for the Industrial Open Source Network.