 So good morning everyone. It's the last day of the conference. Thanks for coming to this session. I hope you're all feeling well Today we will talk about the ISO 18974 and if the existing ISO 50 to 30 is a stepping stone for this implementation your speakers today is myself and my lovely colleague Katarina Ralph We are from PWC Germany and you might know PWC as an auditing and consulting firm But we also have a very strong practice in open-source software management compliance and security management and also we are certifiers for the ISO and that's why we are very knowledgeable about this 18974 ISO So we first want to start a little bit looking back to the 50 to 30 and about its success story and then introduce you to the 18974 about open-source security management and then we'll talk about the synergies between those two ISOs and We'll also give you some information about an standardized certification process so When ISO 50 to 30 came out in end of 2020 Of course many people and companies ask, okay, is it just another compliance overhead? Is it just another burden or does it actually help and? Looking here to the crowd How many people know about 50 to 30? Okay, and have you already implemented 50 to 30 just raise your hand Kind of Okay, we can talk about this later So I mean first of all the size of 50 30 itself is a success because it's an international standard for open-source compliance management And being an ISO it of course is very well known. It's very well regarded and This itself is a success for a former industry standard Which was created by a large group of people with this open-chain project from the linux foundation and actually turning it or moving it to an international standard is a success for itself Also, it's very good because it defines the Why and what but it doesn't define the how and Therefore, it's very adaptable Through all organizations in all industries all company sizes and so on that's very important for its adaption We also see an adaption of 50 to 30 in the companies, I mean not shown here within this crowd but We can show you some figures later on and we see that as adaption is rising and through its adaption You reduce risks and the supply chain because you bring transparency into the used open-source components and you transfer this into the supply chain and to make this transparent and therefore I mean that's the whole purpose of this ISO it reduced risks in the supply chain and Thus and thus it builds trust in In software supply chains. So you're looking at some figures I mean these is a sneak preview of an official bitcom Monitor open source study in Germany, which will come out only next week. So but this is a sneak preview here two numbers already. So from 2021 to 2023 for the newest number The companies in Germany who have policies for open-source software management increased from 17 to 32 percent and this is also part of success from the 50 to 30 because it's an official standard and people start managing open-source rigorously and also here now another number 49 41 percent of companies in Germany have established open-source compliance processes and Based on 50 to 30 When you then look at the open-chain project more than 100 companies have officially announced open-source 50 to 30 compliance through a self certification and It's large companies all over the world which are self certified Which is very important for the adaptation of the standard and I mean the official title of the 50 to 30 is Open-source license compliance standard. So it's about License compliance, but it's actually more than just license compliance It guides companies Who so far don't have an hospital who don't have any open-source? Program management so far it guides them to first implement processes for skills for policies for tooling and for everything you need to manage open source And also companies who already manage open source And have already established Measures for open-source management have a very good orientation to standardize it throughout the companies without the Organization if particularly with larger organizations Former they might have had different practices throughout different entities, but now they have an official standard This is the way to go. We do it like defined in 50 to 30 and For companies who already manage open-source very maturely They have now the chance to get self certified to prove conformance This good open-source license compliance management. They can do this through a self certification or the third party certifier So and as I said, it's not only about license compliance actually because when you start implementing 50 to 30 it also Brings you to the point where you will define somehow a strategy for open source of the management in your company which is very important and we can better realize open-source advantages when you have an defined process that everyone follows in your company and Also, it actually Introduced in the standard The need for this for an S-bomb and That defined which is important for compliance, but not only for compliance But particularly also for security aspects and that's what that's where I want to hand over to my colleague To introduce you to the 18974 Great, thank you muscle Yeah, let's look deeper into the new ISO for open-source security as we all know Open-source security is a topic of major importance and there were several keynotes this week talks on non-major Incidents and the open-source ecosystem. So yeah, I will not read them all out again. I think we all know those Yeah cases of the last years But what they all have in common is that they were affecting the software supply chain and making use increasing complexity in the software supply chain and what is even more surprising here is that especially with regards to log4j and log4j But some of those security gaps some of those vulnerabilities are still Yeah, of importance because Downloads for example of log4j are still in some cases vulnerable versions So we can see that some organizations are still not capable to manage open-source security properly And yeah, here comes the new ISO in place But what we have to mention here, but it's very important. We shouldn't consider open-source less secure than proprietary close software Because the closed software is in most cases including open-source anyway So what we should really focus here is to manage the open source properly to to address those security risks and the good thing is that the governments and regulators are Yeah, seeing this this risk and the necessity to manage open-source properly Also those examples mentioned here like the cyber resilience act or Dora for the financial sector Have been Yeah, a major topic this week. We all know the discussion around the cyber resilience act but in general, I think it's a good thing that The current regulations are addressing the necessity of open-source management, but what is necessary for for those professional measures I Think it's two things It's transparency and the need for standardization and this is exactly what the new ISO is is offering standardization in open-source management measures and It's giving us the the ability to address security Incidents in a professional manner so What is the new ISO 1 8 9 7 4 as Marcel already mentioned? it's a sister standard to open chain 52 30 on on license compliance and transfers this Already existing ISO in the security domain so it provides a standardized guide for open-source security assurance programs how they Should should so what they should compromise and why it is necessary to manage the Yeah, open-source security aspects and as Marcel already mentioned the intention behind this program is to describe the what and why but not the how Implementation so the program allows for very high flexibility and in adoption and implementation Which makes it so useful for different kinds of organizations So how does it look like? Here on this slide. We have all important chapters in this ISO norm Beginning on the upper right corner of the program foundation Going on with the definition of relevant tasks and support which is needed in the organization and then Furthermore with the content review and approval chapter and lastly and there are some Requirements on adherence when it comes to certification of the open-source security management system So starting off with program foundation some of you might already know those Yeah sub chapters as this is very similar to the 50 to 30 certification so it all starts with adequate policies and definition of competencies Which is always needed when it comes to implementation of a security management program. However, the program is only Really effective when the awareness within the organization is existing So this is another important pillar in the program foundation and of course scope has to be properly defined especially when it comes to parallel implementation with the 50 to 30 for open-source license compliance and lastly in program foundation we have Measures for for standard practices meaning Measures which describe how to react to security incidents in the organization So here I have also some some details which are right which are coming right from from the document itself And what is important here to understand is that the ISO certification? Explicitly focuses on the documentation of the measures So it's not sufficient to have a process implemented It also has to be properly documented and this documentation has to be accessible for everyone in your Organization who is dealing with open source This is why I have brought those excerpts here Later on as I said It's important to define the relevant tasks in this program and to ensure that those measures those processes the personal is equipped with the Yeah, sufficient resources on a financial and on a personal basis To ensure that the program. Yeah is running properly Yeah, also here short excerpt of what is written in in the certification document As I said for example identified program roles have been properly staffed adequate funding is allocated This chapter now the content review and approval is the central part of The security ISO as here it comes to the S-bomb the S-bomb is a central element of this document because the S-bomb makes us able to react on on Vulnerabilities as it ensures the transparency we are on it and Lastly at the upper left corner as I said we have some specifications when it comes to the certification But I must I will delve into the certification details later on So as you see there are a lot of details on this slide, but don't worry on the ISO document itself is very Very compact, so I think it's around eight or nine Pages so it's a very Yeah, compact guide on on how to diminish the open-source security Yeah, here we have Very simple supply chain nothing complex And as you can see there is some yeah an IT solution, which is a sample step-by-step to a final product but what all those have in common is a Small tiny security gap breach whatsoever Doesn't matter when when it When it was implemented, but there is one it's highlighted in red and As you can see this the security gap is transferred along the whole software supply chain Which is yeah, obviously But Imagine all those Organizations in the supply chain have the ability to detect and to react to this security gap and this is where the ISO steps in and makes us able to Detect and react those those breaches and Which makes it also possible in the supply chain to work together I think this is key when it comes to open-source security that not only single organizations are Adopting the standard, but it's a joint effort Because every step in this software supply chain needs to be secured by by standard processes So now I'm the major question of our talk What are the synergies between the compliance ISO and the security ISO and can maybe be Compliance ISO via stepping stone towards implementation of security So what I've done here is a direct comparison of both Isos and and their contents So as I already pointed out for for the security ISO on the right side there's a program foundation and Exactly this structure is also included in the compliance ISO. So also here we have policies we have Scoping which is necessary Competencies have to be defined and also the awareness program is very important. So here We already have some some synergies of course the the content is differing But the requirement and the measure and the framework is similar. So here Yeah, we can harmonize Implementation and this also applies to the second chapter which is relevant tasks defined and supported and and when they all merge is In this chapter open-source content review and approval because here both ISO norms point to one thing and that's the S-bomb so Yeah, when we come to you to adoption of ISO for license compliance or security both required the ability to create professional S-bombs but of course the The intention behind this is differing. So on the one side on compliance ISO, of course points to on the use of S-bombs for handling open-source license use cases on compliance artifact creation and on the other side on the security S-bomb Serves to handle the detection or a solution of vulnerabilities and to provide the Necessary transparency and supply chain So yeah, as you can see Both have a very similar structure. Of course, this also comes from its origin as it was developed by by open chain But from my perspective, it makes it very comprehensive and very easy to to understand How how the new ISO is working? So can the 50 to 30 be a stepping stone towards security? I would say yes But it depends. I think this is a yeah consulting answer But yeah, it always depends on what your organization is Focusing on what the goals are and whether they are already existing frameworks where the ISO should be adjusted to But as we have seen the S-bomb is the crucial element of the binding factor between both Isonorms and therefore it definitely makes sense to harmonize Processes and efforts here in order to yeah insure a professional and robust S-bomb and What is also great here due to the synergies? Yeah, it's it's not necessary to answer the question which ISO to implement first because All scenarios work. So if there is an organization which has already adopted the ISO for license compliance Security ISO can be implemented as well and vice versa and of course both can be implemented in parallel as we have seen That the framework and the requirements especially in program foundation are very similar So now let's have a look at the certification Okay So yes, lastly, we want to talk about in the certification process and just give you a little bit of insight how it works And perhaps this sort up front Does it make sense to certify and you can see here on the one side? the effort which is required to run an open source program to run open source security program and Then again the effort which is required to do in certification on the other hand you see How much trust does it build in the supply chain? so just running and operating an Open-source software security program Doesn't provide you with so much trust in the supply chain because no one knows do you do it correctly? How is it done? and so on so therefore a Self-certification or third-party certification builds of course much more trust and that's what ISOs and certifications are for And it's just a general thought to show to your To your Partners to show within your supply chain that you're doing this correctly. That's what an ISO and certification is for then very often there's a question about what are the benefits for a supplier and for a Company to engage with those suppliers that are certified First of all, I mean if you're adopting the ISO 50 to 30 or 89 74 You can demonstrate And you can prove that your compliance and then you can show cast a show show it to your customers But it's also a seal of quality internally and reward for your efforts that you've set up the program correctly that you have some someone externally Looking at it and providing feedback And you can also benefit from this valuable feedback to further optimize it also, it might bring benefit for in IFPs because Some IFPs nowadays request companies to be certified or it's in some cases companies now also start to put it into the standard procurement documents that certification is required One other and that last aspect is that you also can overcome Operational blindness because sometimes you work on your program for quite a while if many people engage within your company But you don't see the obvious because you don't have this external view Who looks at it with a fresh view? So this is all beneficial for the company. You actually Starts an implementation certification process and for the other side in the supply chain It also brings benefits of course to engage with clients always with customers suppliers that are Certified because it can reduce your internal efforts and there's them or I mean depending on how you set up your processes but it makes sense to set up process that when you receive trust and the certification from a supplier regarding their open source compliance and security management that you can reduce the internal office in terms of double check-in terms of scrutinizing and tracking what you get delivered from them Also, it's helpful to Apply this state-of-the-art standard Throughout your suppliers, so that you don't measure suppliers with always with different standards with a different way of checking their compliance and their security in open source makes sense to do this the same way for the whole supplier base and This comes to the point of an unbiased assessment So sometimes when you have different teams who are engaged with the supplier for quite a long time already They know them very well and then on the other hand They then have to check in the player that they don't know so well There might be some bias in terms of assessing the program of the supplier and checking if they Follow open source compliance and security was correctly. So it makes sense to trust on a certification, which is an official feedback and assessment of such Open source security measures. I mean the content of the certification is quite clear But we know already showed you I mean that of course the content which is written in the In the standard the program foundation the defined task the content approval and the adherence to the whole program of all and When it comes to an actual certification, there are different techniques to do certification and to do the audit It starts with interviews, which is just discussing the content and the scope and all the relevant parts and then for particular parts of the Program, there will be a review of documentation and records That actually the content of the availability and also the content of these documents, which are required the verification materials is checked and then for the most important part What I think for the heart of this whole security program so for the S-POM S-POM creation the creation and completeness and correctness of the S-POM There is it makes sense to have an observation of the whole press process and to do the process Walks through to really understand and double-check that the S-POM is Created correctly and completely So these are the audit techniques And then there's of course Random target sampling so based on the verification material which are defined in the ISO There might be some spot checks random or targeted sampling to double-check these materials Just a brief overview of an official certification process. I mean It wouldn't be the process if there's not an ISO standard for it. So there's a 17.021 standard from the ISO for certification of management systems And since an open-source compliance and open-source security System is a management system this ISO standard for certifying management systems is used and it's very clearly defined what needs to be done and it's from pre pre-certification activities, so it's actually just Defining a timeline and so on Then actually comes to the audit planning the objectives and the scope and the criteria needs to be made very clear and Very often we have a discussion about the scope because It's not so easy to define the scope of the certification with the whole company will just a particular business unit will just a particular Organization a country an entity will be certified So that's very important to think about and also when you trust on certifications from your suppliers you should make sure that the actually the actual development department you you get your products from Is certified and not some other entity or some other business unit is certified This is very important because sometimes there's a misunderstanding Whatever entity a in in Germany is certified and you procure products from company be in the organization from France So then that's not so helpful, of course Then the actual certification process Is quite clear if there's a phase one, which is a documentation review So that all documents are provided available and the content is correct and then phase two is the effectiveness review and that's where they The walk-throughs and the review of processes comes in Where the actually effectiveness that these things which are Documented and which are defined in processes are also lived throughout the organization or throughout this certification scope is in place and is working correctly and Once this is done There might be some non-conformities. We're an auditor says okay. Here's some stuff which needs to be reworked and if this is not too critical and not too much There's a period of time which is then defined by an auditor to rework this and Then it can be rechecked in this whole process and once everything is checked and correctly a decision for a certification is then granted and One last thing to mention is then I mean I talked about the certification process to up where you receive a certificate But then also important that the whole thing about ISOs and standard ISO standards and certifications that this needs to be maintained. So because the certification looks at the process in a company at a particular point in time and To make sure that three months later six months later one year later. This is still correct and they are still following the processes an auditor does Maintaining of certification. It's called so there's agreement between the auditor the certifier and the Company that regularly they check in and ask okay is still everything running. Did you do any? bigger changes have you whatever Have a complete new process and use scope a new Tooling and so on because then a re-ordered needs to be done. But if in this check-in It's agreed that everything stays the same everything is correct and still works as it was seen These certificate just stays as it is after one year then recertification civilians audit is done and then it's recertified and after three years actually a full scope Certification and reassessment is performed so To conclude It's a new ISO out there. Not yet to be honest It's still draft international standard just this morning. We were talking with Shane and the Openchain meeting which runs parallel We are still waiting for the official release of this ISO, but the whole process has gone through and it's just a matter of time until the ISO actually releases this new standard But it's all done completed and we are just waiting for an announcement and until it's officially out there So the resilience in IT systems we see it everywhere and particularly also in regulations which are coming up in Europe and As I say just your restrictions the resilience in IT systems is very important It's increasingly important and since open source is built into all IT systems Open source security is important. That's where the standard comes in we discussed if the 5230 can be a stepping stone and Yes, it can if you have already 5230 implemented you have very good Very good foundation material and very good processes around the S-Punkation already so this is very helpful, but Because we've received this question several times that I want to mention again It's not a necessity to have 5230 in place first. So both can be done two separate standards and both can be applied individually Supply chain security is a joint effort. It doesn't make sense when only one company cares about Security the whole process and cannot rely on others and so on at the joint effort everyone needs to join in and So hopefully the adoption of this standard will work very quickly and many companies will take care and We'll also showcase to other companies through self-certification or external certification That they are compliant with it and that they take care and Then lastly and quite important is that also I mean when this standard is applied correctly there's also a contribution back to the open source ecosystem in terms of identification of these vulnerabilities which are then mentioned and fed back into the ecosystem and also I mean since CVs are Known and are communicating in the ecosystem and the joint effort to to work around them or to actually solve them It's also very helpful for the overall security and the ecosystem. So this is it Please go ahead with questions or The thing I don't understand is with this certification of security You're building it with the you're building a chain of trust but the thing is How care could possibly open source projects like Be part of that Because an open source project is not a company They cannot buy the ISO standards probably I mean when they company back. Yes, but when it's a small project They're not and it's a bit against what I feel is the open source spirit Because that there is an end to this chain and The end of the chain is not the end of the supply chain or the beginning of the supply chain So basically your question or your comment is if open source project can also be Certified or how they can be part of the sole process. I mean it's a good question Absolutely correct what you're saying and my I mean the certification is for an organization I mean, it's not defined if a project could be an organization. I mean, this is something that could be discussed and the question is if a Open chain project with which is maintained in a community if they can also apply the stand and can also say okay They have measurements in place to fulfill the security The security audit standard, but First of all, you're correct. I mean it's The certification is rather defined for organizations I'm just thinking I mean I Think also it does help projects because there is a feedback to the community to the project if something's identified through companies and the more companies care about CVs and and vulnerabilities in projects and feed it back to the community. I mean the more the project can also benefit Maybe to jump in here The interaction with the open source ecosystem and the community is an essential part of both ISO norms so especially the 50 to 30 has a separate chapter on Contributions and and the interaction with the ecosystem and so does the security ISO because when an organization is Adopting those those measures those requirements it becomes able to better interact with the community and to provide and also contact points to To communicate with each other. So yes Marcel said there is The connection between the organization and the community in short Similar question basically so do you see realistic efforts to really Or effort starting to certify the whole supply chain for like large companies It's not mandatory as far as I understand from the standard, right? It's not mandatory to have all suppliers certified and so on no, I mean The standard is for one company at a time. Yeah, so The certification is not about saying that the company has certified the whole supply chain So the certification is for one entity for one organization I mean if a company only will engage with suppliers which are certified That's up for discussion That's up for the procurement and risk management and so on of this company and what we see with 50 to 30 and now In discussions with 89 74 is that larger organizations come up with a risk-based approach So to define what I'm what are the most critical suppliers? What risk do I have from these suppliers? Where does The code or the components go into my product and how critical are these products from for my company? And if this is critical you rather will trust the supplier which is certified or which has particular measures in place and can show cost them to you and if It's not critical at all. You probably you don't care about if your supply is Certified or not so but there's not a requirement. I mean if we or if we certified one company It's not a requirement that the whole supplier base is certified I mean it cannot be the case that the whole supplier base is certified because as My question earlier Wanted to Start the discussion that Suppliers can be open source projects So and they cannot be certified because it's I think this is a part of where ISO is falling short And not working for this, but this is my personal opinion about ISO, but yeah, this is why It feels a bit like Standing in a ruin and cleaning the floor with a With a vacuum cleaner. I mean you're doing right, but the house is broken Probably But I think it's an important first step. Yeah, yeah, sure, but Of course it cannot cannot solve the whole problem of security and the open source ecosystem But as I said, it's an important connection point between organizations and projects to ensure that there is a joint effort in Yeah, thank you and I will take or we will take your thank you