Name: The Path to a Sustainable Software Supply Chain
Start: 2022-03-15T21:00:00Z
End: 2022-03-15T21:50:57.000Z
Location: BrightTALK
Rating: 0

Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for vulnerability management, license compliance, and code quality across the open source stack. With FOSSA, engineering, security, and legal teams all get complete and continuous risk mitigation for the entire software supply chain, integrated into each of their existing workflows.

A recent Cloud Native Computing Foundation (CNCF) survey revealed that a staggering 84% of organizations use containers in production — up from only 23% a few years ago.

Like much of today’s technological landscape, the container ecosystem is largely fueled by open source components. This, of course, means organizations that use containers must be mindful of open source licensing requirements. But the complexity and relative novelty of the container environment means maintaining license compliance can be easier said than done. 

Join leading open source licensing expert Kate Downing and FOSSA’s engineering team on Dec. 19 for key insights on understanding and managing open source license compliance in the container environment. We’ll discuss:

-Which parts of the open source container ecosystem carry compliance obligations
-How to deal with copyleft-licensed components 
-End-to-end strategies for managing container-related compliance
-The role of container scanning in managing compliance

Containers and Open Source License Compliance

For all of the attention paid to SBOMs (software bill of materials) in recent years, there’s been little conversation about a mission-critical supply chain security use case: integrating SBOMs throughout the software development lifecycle. 

Instead, SBOMs are generated as a check-box item, placed in Google Drive — never to be seen again. Unfortunately, this misses an important opportunity to integrate SBOM insights (such as risk assessments based on SBOM data) into the SDLC.

Of course, successfully operationalizing an SBOM requires buy-in from the right stakeholders,  building the right SBOM-related workflows, and using the right tools — and this can be easier said than done.

Join Kenaz Kwa, the Head of Product at FOSSA, in our webinar “How to Get Value from SBOMs Throughout the SDLC” for practical guidance on tackling these challenges and successfully operationalizing your SBOMs. We’ll discuss:

-Best practices for generating SBOMs that can be used throughout the SDLC
-Considerations when importing SBOMs 
-How to verify the validity of SBOM data
-How to use SBOMs to flag compliance and security issues during the early stages of the SDLC

How to Get Value from SBOMs Throughout the SDLC

As a technology-focused attorney with several leading software companies, Evan LeBon has had a front-row seat to the evolution of software development — and the profound impact it’s had on in-house counsel. 

The shift from a handful of releases each year to the modern world of dynamic build pipelines, automation, and CI/CD has forced legal teams to address a variety of new challenges. 

-How do you balance the need for product compliance and IP protections with engineering’s desire to move quickly?
-What’s the most effective way to structure communication and collaboration with modern development teams?
-How do you keep mission-critical documentation like SBOMs and open source attribution notices up to date?
-What new tools and processes are necessary to make all of this possible?

Evan will answer these questions and more on Wednesday, Nov. 2 during the webinar "Legal Compliance for Modern Software Development." We’ll discuss specific ways in-house counsel can ensure compliance processes keep pace with development, including:

-How understanding and embracing engineering culture can help in-house counsel work more effectively with development teams
-How open source license compliance management processes should evolve to keep pace with continuous software release cycles
-How automated tools can save legal teams significant time on compliance and documentation

Legal Compliance for Modern Software Development

Applause is the world leader in testing and digital quality. They partner with the world’s greatest brands — such as Google, Microsoft, and PayPal — to ensure that their digital assets and experiences are of the highest quality and work as intended.

Like a number of successful engineering leaders, Applause CTO Rob Mason has encouraged his team to use open source software to improve efficiency and product quality. But, Rob and Applause have taken a different, far more developer-friendly approach than many organizations to the necessary (yet often painful) areas of product compliance and security. 

With the right mix of policies, collaboration, and automation, Applause has built successful compliance and security programs that don’t take significant engineering resources or require developers to change their preferred workflows.

Join Rob in the upcoming webinar "How Applause Does Open Source Compliance and Security the Developer's Way" to learn more about Applause’s developer-first approach to managing OSS license compliance and security — and the importance of tools like FOSSA in making this possible. We’ll discuss:

-How Applause structured its OSS license compliance and vulnerability management programs to be as developer-friendly as possible
-Best practices for collaboration: engineering-legal (on license compliance) and engineering-security (on vulnerability management)
-How and where Applause uses scanning technologies to manage OSS license compliance and security
-How Applause has benefited from automating OSS license compliance and vulnerability management with FOSSA

How Applause Does Open Source Compliance and Security the Developer's Way

There's been a lot of discussion about SBOM-related requirements in the Biden administration’s 2021 cybersecurity executive order. But that same executive order also prompted NIST (the U.S. government’s National Institute of Standards and Technology) to create lesser-known — yet also important — guidance specific to managing open source software security. 

These recommendations include using programming languages and frameworks with built-in security controls, pulling open source from trusted repositories, and implementing software composition analysis (SCA) to detect vulnerabilities, to name a few.

Join FOSSA Security Engineering Manager Solomon Rubin in the webinar “Demystifying NIST’s Open Source Software Security Controls” for a comprehensive overview of NIST’s open source security recommendations — and the practical steps your organization can take to implement them. 

We’ll discuss: 

-NIST’s six recommended controls for open source software security
-How teams can use NIST’s Foundational, Sustaining, and Enhancing framework as a roadmap to enhance their internal capabilities 
-The role of SBOMs in vulnerability management 
-Where software composition analysis (SCA) tools like FOSSA fit into NIST’s guidance

Demystifying NIST’s Open Source Software Security Controls

SFC vs. Vizio — a case that tests whether software users (not just copyright holders) can enforce open source licenses — has the potential to change the open source enforcement landscape in a major way. If courts determine that users have standing to enforce the GNU General Public License, software developers who use open source code are likely to face significantly more compliance-related requests and scrutiny.  

In addition, the case has revived interest in an often overlooked provision of the GPL v3 which, regardless of the court’s decision on standing, is important for producers of consumer devices. The GPL v3 requires consumer device manufacturers to provide “installation information” so that end-users can update, modify, and/or reinstall the GPLv3 licensed software in those devices. 

But what is “installation information” and what’s the best way for manufacturers of “user products” to comply with this requirement — and what steps should organizations (regardless of industry) take now to bring their products into compliance? 

Join software licensing expert Chris Stevenson, Of Counsel (DLA Piper) on October 12 for a webinar discussion on these pressing questions and more. We’ll discuss: 

-An update on the SFC vs. Vizio and its potential ramifications
-Key differences between GPL v2 and GPL v3
-The “User Products” clause and strategies to comply with it

Compliance with the GPLv3 “User Products” Clause and the Impact of SFC v. Vizio

Growing threats from software supply chain attacks — coupled with new regulatory guidance from the U.S. federal government — have put a spotlight on the importance of generating SBOMs (software bill of materials). 

But while SBOMs are often mainly associated with supply chain security and regulatory compliance initiatives, they have a range of applications for today’s in-house legal teams, including OSS license compliance. 

Join Ryan Cobb, the IP Counsel at Okta, for a webinar discussion on what in-house counsel should know about SBOMs. 

We’ll discuss:

-How detailed SBOMs can be a competitive advantage for your organization
-The connection between generating SBOMs and maintaining OSS license compliance
-Getting engineering support for SBOM generation 
-Practices and processes for generating SBOMs

The In-House Counsel’s Guide to SBOMs

OpenChain ISO/IEC 5230:2020 is the international standard for open source license compliance. It’s based on six brief, straightforward sections (covering 13 core requirements) that outline how organizations can establish and maintain effective compliance.

These requirements include documenting the open source you use, having a way to ensure compliance with licensing obligations, and identifying compliance program participants. Organizations which check these boxes can earn the designation “OpenChain Conformant.” 

On Wednesday, August 31, Shane Coughlan (GM of OpenChain) will discuss how to put your organization on the fast track to OpenChain Conformance. We’ll discuss:

-The business benefits of earning OpenChain Conformance
-How legal, engineering, and management teams can collaborate to fulfill requirements 
-What documentation is required as part of the OpenChain standard — and strategies to produce and maintain it
-How automation can accelerate the journey to OpenChain Conformance

OSS License Compliance: Practical Strategies for OpenChain ISO/IEC 5230:2020

Reps and warranties concerning open source software are an important — yet often overlooked — part of commercial software licensing agreements. That’s because organizations that ship products are ultimately responsible for OSS license compliance, even if the issue stems from a vendor-supplied component.

This reality puts a premium on including the right reps, warranties, and indemnity provisions in commercial licensing agreements. Join Technology and Transactions Attorney Jim Markwith (JD/MBA) for a webinar discussion on several dimensions of OSS-related reps and warranties in commercial software licensing, including:

-An overview of warranty provisions in common open source software licenses 
-How to ensure commercial software licensing agreements don’t become problematic during due diligence
-Why organizations should require software vendors to deliver a whole repository (including code in source and object form) and proper attribution documentation with the deliverable
-How to manage commercially licensed software as part of a comprehensive open source license compliance program

Reps, Warranties, and Open Source Software, Featuring Jim Markwith

Given the large volume of open source software in modern applications, it can be quite difficult to manage OSS license compliance obligations with manual processes alone. But picking the right compliance tool — and then realizing value from it on an ongoing basis — can be easier said than done, especially given the feature-rich nature of modern solutions .  

IP attorney Heather Meeker, one of the world’s foremost experts in open source license compliance, will offer guidance in these critical areas (evaluating new tools and maximizing existing ones) in our upcoming webinar. Heather will discuss topics like:

-Differences between types of license compliance tools
-Features and capabilities to prioritize depending on your business objectives
-Strategies to integrate tools into engineering workflows
-How the current generation of tools can support attribution notice and due diligence requirements

The Lawyer’s Guide to OSS License Compliance Tools, Featuring Heather Meeker

Open source license scanning tools like FOSSA play an important role in software development for many organizations. That’s because these tools automate what would otherwise be the manual (and time-consuming) process of identifying and inventorying the licenses that govern use of open source code

But how, exactly, does a license scanner work? And how can you be sure they produce accurate results? 

Join FOSSA software engineer Scott Patten on June 29 for answers to these questions and more. Scott will share a behind-the-scenes look at our new license scanning technology, including insight into topics like:

-Design priorities for our new license scanner 
-Types of license matching
-A deep dive into the license detection algorithms
-Important lessons learned

Under the Hood of FOSSA’s New License Scanner

Identifying and mitigating known vulnerabilities in open source code has long been a foundational part of secure software development. But over the past year, we’ve seen an increase in novel software supply chain attacks happening before CVEs are published.

As a consequence, focusing on remediating CVEs — without accounting for other indicators of vulnerable open source — can put applications at risk. 

Join FOSSA security experts on Wednesday, May 25 to explore these emerging signs of risky or compromised open source packages — and to get actionable guidance on addressing them. We’ll discuss challenges and solutions in areas like:

-Empty packages
-Abandonware
-Remote dependencies
-Typosquatting

Beyond the CVE: Addressing Novel Supply Chain Risks

In the hours, days, and weeks following the disclosure of the Log4J zero-day vulnerability, FOSSA’s security engineering team implemented a comprehensive plan to help our customers respond.

Senior software security engineer Matt Schwartz helped lead these efforts, working hand in hand with customers to minimize the vulnerability’s impact.


Join Matt on April 13 for an inside look at FOSSA and our customers’ response to Log4Shell — and how the lessons we learned can help your organization prepare for the next zero-day vulnerability. He’ll discuss:

-How Log4Shell impacted FOSSA customers  
-Strategies to mitigate vulnerabilities in direct and transitive dependencies
-The biggest lessons we learned  
-Steps you can take now to prepare for the next zero-day vulnerability

Log4Shell: A Case Study in Responding to OSS 0-Day Attacks

If you're an in-house lawyer, today's deal market means any day may bring news of an IPO, merger, or even fast-tracked SPAC acquisition. 

The ubiquitous nature of open source software in modern applications means it’s likely that license compliance will be part of due diligence. And, any compliance issues that surface during this assessment may present significant roadblocks to a successful transaction. 

Are you prepared to brief your CEO on the status of open source license compliance if asked right now? Could flaws in your company’s code emerge after an IPO, bringing about major business and reputational harm for all involved?  

In today’s market, even tech-savvy legal departments would be wise to revisit the IP risks presented by open source software, with an eye toward implementing continuous license compliance and ditching the one-off audits. 

In this webinar with our friends at Above the Law, we discuss:

-How to prepare for transaction-related compliance reviews in an era of ever-increasing complexity and ever-decreasing timelines
-How OSS license compliance impacts the SPAC boom and other transaction trends 
-How to implement a system of continuous compliance and the benefits of doing so
-How to anticipate and address any cybersecurity issues raised by open source code

How to Ensure OSS License Compliance Doesn't Tank a Transaction

Rancher Labs has long been considered a pioneer in container orchestration. The marketing-leading Kubernetes management platform (acquired by SUSE in late 2020) is entirely open source, meaning users retain maximum flexibility with no vendor lock-in. 

Since it was founded nearly a decade ago, Rancher has worked hard to stay at the forefront of cloud native innovation. In mid-2021, the company took another big step on that journey when it implemented FOSSA Software Composition Analysis.

Join Rancher Labs’ Senior Engineering Manager Hayden Barnes (formerly of Canonical and founder of Pengwin Linux) for a conversation about how Rancher has used FOSSA to manage OSS license compliance, reduce security risks, and increase development velocity — and how your organization can reap similar benefits.

We’ll discuss:

-Why Rancher Labs selected FOSSA, and lessons learned from implementation
-How and why Rancher Labs integrated FOSSA into its CI/CD 
-Strategies for making risk management a standard part of software development
-Best practices for generating and maintaining up-to-date compliance reports

For any questions or follow-ups, contact the webinar presenters:

Hayden Barnes: https://twitter.com/unixterminal | hayden.barnes@suse.com
FOSSA: demand@fossa.com

How Rancher Labs Increased Development Efficiency and Security with FOSSA

C and C++ are amongst the most popular languages in the world. Designed for programming embedded, resource-constrained software and large systems, they are widely used because of their efficiency, stability and portability. 

But unlike other languages, C/C++ do not have standardized package management, which creates complexity in scanning and managing dependencies.

During this webinar, Kit Martin, one of FOSSA's Software Engineers, will explore the complexities of scanning C/C++ code for dependencies. Topics will include:

- How scanning for C/C++ differs from other managed languages
- Various packaging scenarios in C/C++ 
- Challenges with C/C++ with vulnerabilities

Challenges in Scanning C/C++ Code for Dependencies

Get ready for a FOSSA 101. Register for this session and get a quick primer on how to get started with FOSSA. Our FOSSA Product Engineer will walk you through the platform and demonstrate how to: 
 
- Use the FOSSA CLI to scan your code
- Identify dependencies, license compliance issues and vulnerabilities
- Configure license and security policies 
- Integrate with your existing tools

Live Webinar: Getting Started with FOSSA

Software supply chain security has dominated the headlines in recent months following a series of events (including the SolarWinds hack and the Biden Administration’s executive order). But maintaining the integrity of your software supply chain is about more than just traditional vulnerability remediation.

Our modern threat landscape has elevated the importance of supply chain sustainability, which includes areas like software provenance and lifecycle management in addition to known vulnerability mitigation.

Join Shane Coughlan, GM of OpenChain (a Linux Foundation project) for a conversation on the importance of supply chain sustainability and practical steps your organization can take to strengthen supply chain integrity. We’ll discuss:

-The evolution of software supply chain threats
-The importance of software provenance, such as package origin, maintainers, and quality
-Questions to ask vendors to gauge the sustainability of proprietary software
-Indicators of sustainable open source software

The Path to a Sustainable Software Supply Chain

Software Supply Chain Security

Open Source

SBOM

Cyber Security

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Happy employees make productive employees. HR managers are now finding that compensation and benefits alone cannot keep employees happy; they also need nurturing through proper training and development. Join the BrightTALK talent management community to learn how to engage and retain your best talent by providing them with the tools and rewards they need to enhance their performance and reach their potential.

Talent Management

Modern human resources professionals are charged with not only the recruitment of talent, but also retention, satisfaction and management. They also support the training, assessment and compensation aspects of employee management. Join this community to connect with thought leaders and learn about trends in benefits, compensation and talent management. Stay ahead of the curve to attract and retain top talent and strengthen organizational leadership and culture.

HR Strategy

Human resources is intrinsically linked to business success and requires a thoughtful balance of a variety of complex issues. The human resources community on BrightTALK is made up of thousands of professionals in human resources exchanging human resources best practices and advice. Watch hundreds of on-demand webinars for immediate information or participate in upcoming live webinars and have your questions answered by respected HR thought leaders.

Human Resources

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

The Path to a Sustainable Software Supply Chain

Presented by

About this talk

More from this channel