Revenera logo
Image: The Role of OpenChain Conformance

The OpenChain Standard defines the key requirements that are needed when constructing a high-quality open-source program. This standard was designed and elaborated by the OpenChain Project and has been the go-to international standard for open-source license compliance since 2016.

The central goal of the OpenChain Standard is to ensure that companies that follow this set of ideals are on track to include the very best possible practices that are currently established on the market.

Instead of an organization carving its own certifications, this standard is openly available to all. With a vibrant community backing the project, thriving upon open development, there are plenty of reference materials that help companies become OpenChain compliant.

This article will explore the OpenChain Standard, demonstrating what it means to be conformant and how an organization can move towards compliance.

Why Is It So Important to Be OpenChain Compliant?

The OpenChain Standard, having been established for years with a huge amount of public support from developers, is the gold standard when it comes to open-source software. With the sheer amount of documentation that is available, it has become increasingly accessible to adhere to these guidelines, making this a valuable option for organizations around the world that want to align with the current best practices.

OpenChain’s documentation radically reduces the overall effort, time taken, and resources that becoming open-source compliant consumes. Over time, it has established itself as the leading resource for compliance, mainly due to the following reasons:

  • Best practices – As an open-source project itself, you’re following the best practices that have been found and outlined by thousands of developers from around the world. Instead of being dictated by a singular company, this communal effort by those within the world of open-source has resulted in a set of standards that involve the very best current practices. Equally, as they are continually updated, these standards are only becoming more precise over time. 
  • License Obligations –here is a legal risk when a company does not comply with open-source license obligations. Although open-source software is free to use, it comes with a range of legal obligations. By identifying where open-source is used at your company, which applications, and what each license dictates, you’ll be able to achieve compliance and protect your business from legal risk.
  • Security – One of the main aims of the current standard is to ensure complete safety when using open-source tools. By adapting existing systems, you’re able to make your organization OpenChain compliant while also ensuring your project is secure.
  • Builds trust – When you can demonstrate to your customers that you are completely OpenChain compliant, they know that you’re currently following and adhering to the very best practices within the open-source community. With this, you’re able to build trust with your audience and demonstrate that your software is created in line with guidelines.
  • Continuous improvement – Once you’re certified as compliant, that doesn’t mean your journey with OpenChain compliance is over. In fact, it can become part of your culture, with continual monitoring ensuring that your organization gets better over time.

As a project which has been developed in collaboration between companies in Asia, North America, and Europe, OpenChain is extremely comprehensive and will ensure your organization contributes to the ongoing effort to make open-source license compliance more efficient and accessible.

What Does it Mean to Be Conformant?

To be conformant to OpenChain means that you’ve worked through the OpenChain Open-source Policy and have ensured that you’re following every single point on the list. This specification is readily available, with individuals being able to download the template as an Excel file or as ODS.

By moving through each of these practices, you’ll ensure that your company is actively following the current best standards defined, helping to secure your organization. Once this process is complete, your business will be maintaining the international standard of ISO/IEC for compliance on OSS licenses.

Open-source software comes with a license that dictates how it should be used. You should identify any licenses that you need to comply with and follow their requirements.

Alongside OpenChain compliance, be sure that you’re following the obligations of the terms and conditions of individual OS components that your platform employs.

Currently, the OpenChain project states that a program must satisfy every single one of the requirements on their specification to be considered OpenChain conformant. Of course, if even one or two points are missed, the quality of the program’s output could be significantly downgraded, leading to doubt about the certification’s effectiveness. Due to this, it is recommended to conform to all specification points.

How to Become OpenChain Compliant

Although there are a range of available online resources that you can use to become OpenChain compliant, it may not seem like the most straightforward process to companies that haven’t undertaken this certification before.

There are two ways that an organization can become OpenChain Compliant:

  • Self-Certification – On the OpenChain website, you’re able to access a full list of factors that attribute to an organization being completely OpenChain compliant. After you’ve ticked off every aspect of the OpenChain standard listed on their website, you’re then able to self-certify that you are 100% OpenChain compliant. Be sure to consult OpenChain’s website for more information.
  • Third-Party Certification – Third-party certification is when you pay an external company to look through your processes. They will move through every part of your organization and then determine if you’re currently in line with the OpenChain standards. If you’re not quite up to scratch on one or more of the areas, then these third-party companies will normally give you a few pointers toward ensuring you fulfill all of the criteria.

It’s important to note that all of the needed resources and tools are made publicly available on the OpenChain Project’s website, so you can do the vast bulk of research with relative ease. That said, considering all open-source software you use comes with a license that you must comply with, it’s a good idea to employ a third-party code scan.

An effective code scan will give you insight into all the distinct licenses found in your applications, helping your developers and legal teams to get up to speed with open-source security and how to comply with all the various licenses.

What Does OpenChain Do for Security?

Alongside following the best practices for the configuration and documentation of open-source components within your software, OpenChain has recently released a focused set of guidance that directly caters to increasing the safe use of open-source software.

The Security Assurance Reference Guide 1.0 is not a new version of OpenChain ISO/IEC 5230 but rather is guidance that focuses on these conformations within the context of security. Using a similar format as the OpenChain standard itself, users will be able to move through these security recommendations with ease and ensure their software complies with the best-known security practices.

OpenChain formulated this document as a growing number of companies were already using their standard as the core for their compliance activities. By providing the Security Assurance Reference Guide, they facilitated this approach, making the OpenChain project a leading tool in security prevention.

This guide is currently in its first release, with the information and feedback that developers give to the program in the coming months helping to further shape its progress and how effective this specification can be. With this, the security benefits of the OpenChain project will continue to improve, with the open-source community leading the charge toward a more effective, stable, and secure OS system.

Final Thoughts

Defining the core components of high-quality open-source compliance, the OpenChain project ensures that companies around the globe are accurately conforming to the best open-source practices.

When complying with this specification, companies know that their artifacts are verified by the best possible standards, helping to create a more secure public use of open-source software.

Revenera announces OpenChain Conformance