Revenera logo
Image: The Evolving Role of Software Security and License Compliance

If the past few years in software security and license compliance showed us anything, it’s that threat actors will continue to find a way in. The discovery of vulnerabilities and ongoing exploits demonstrate how there is no end to security iterations. New variations, additional patches, and further strategies for protection will continuously materialize.

Yet, while this space grows increasingly complicated, the evolution of technology that supports software security and license compliance is narrowing the gap for businesses. A great example is the recent release of the OpenChain Security Assurance Specification, offering a new opportunity for businesses to self-certify in security compliance.

How Should Security and License Compliance Guidance Evolve as Technology Continues to Innovate?

Security practices are always changing as new attack vectors present themselves. While security teams may not be able to predict what happens next, they can focus on creating adaptable process management in order to evolve to counter future threat actors.

As compliance guidance has expanded, businesses can now cover more bases with fewer resources. Existing Open Chain guidance for license compliance – and now security compliance – gives companies a checklist they can complete independently.

The availability of tools like code scanning, using SBOMs as part of a structured solution, and open source software management make security more approachable than ever before. Even on a consumer level, the simplest actions often have the greatest impacts:

  • Train Your People – Commit to learning more about how compliance works and why it’s important will help your team better manage security over time.
  • Raise Awareness – With available documentation and self-certification opportunities, you can increase the baseline awareness around security and license compliance.
  • Conduct Retrospectives – Continually assess your compliance and security practices; invest in the time and resources to mitigate risk.

As technology continues to innovate, there are more resources than ever before for companies to turn to. Yet, the baseline practices of returning to your product, rechecking it over time, and being aware of what components it uses are still vital. As Shane Coughlan, OpenChain General Manager, states:

“Continually iterate, continually improve, continually evolve to make sure you’re doing the appropriate thing for your market domain.” 

How Does the Security Addition to the OpenChain Guidance Integrate into the Existing License Compliance Content?

Since its launch in 2016, OpenChain’s standard management process has become a useful set of guidelines for markets across the globe. In 2020, their open source license compliance was given a global standard, ISO/IEC 5230:2020. More recently, OpenChain has released its Security Assurance Specification.

OpenChain’s License Compliance and its Security Compliance are not identical notions, nor is one a subsection of the other. For companies that already use the license compliance guidance, OpenChian has designed the standards to work in tandem, making jumping from one to the other easy.

The compliance detailed in OpenChain Security Assurance includes the fundamental processes that should be covered and some specific security measures. Like its predecessor, it acts as a light touch that points companies in the right direction. It also provides a self-certification checklist and questionnaire.

If You’re OpenChain Conformant with License Compliance, Do You Have to Recertify in Security Compliance?

As OpenChain’s License Compliance and Security Compliance are two distinct specifications, users must recertify. Both specifications are designed as a checklist of key requirements for a quality program. Businesses can identify where they may be lacking by working through each point on this specification.

This creates a flexible jumping-off point, helping businesses to approach security at their own pace and directly in line with the specific improvements they must make. It also allows businesses to further set the ball in motion toward building up a better base of security. For example, if a company hasn’t yet told their staff they’re using open source software, they could send out a company-wide email as their very first iteration of that specification point.

With guidance like that provided by OpenChain, a range of useful tech solutions, and platforms that facilitate the software security and license compliance process, the software supply chain is evolving rapidly.

If you’d like to explore other trends and practices related to supply chain maturity, tune into Revenera’s Open Source Exchange.