 Okay hello everyone thank you for coming our presentation. We are a member of Open Change Japan working group. First let us introduce ourselves. My name is Yumi Tomita. I'm a product manager at Cybertrust Japan and I'm working on utilizing S-forms for vulnerability management. I'm Norio Kobota from Sony Group Corporation and I'm a staff of all SPL staff in the whole Sony Group and Sony representative of Open Change project. And now a leading Open Change S-Bombs Hub group in Japan community. Thank you. Hello everyone, I am Taishi Yone Shima. I'm a member of NWG's OSPO and working supporting internal OSS management. And as a community activity I am a leader of the OSS bird-eyed build and Japan Open Change Japan working group. Okay, this is an agenda today. We are talking about S-Bombs initiatives in Japan from the perspective of Open Change Japan working group and Japanese company. First Yone Shima-san explained us what is S-Bombs and the importance of S-Bombs for social supply chain. And then he shows us Japanese S-Bombs trends. Then Kobota-san will introduce about our Open Change Japan working group initiatives. And S-BDX30. Then lastly as a future prospect we are going to talk about how are we currently working on each of our company and how do we deal with operating S-Bombs. So please start Yone Shima-san. Thank you Tomitsa-san. In this slide I would like to introduce the importance of S-Bombs, which stands for Software Below Materials. S-Bombs is, as you know, a document that outlines the structure of software components. There are several key points I would like to highlight in this slide. First S-Bombs is expected to be utilized in various fields, such as cyber security and OSS license management. And in recent years there has been increasing global interest in S-Bombs, especially in the United States and Europe. Government in these regions working to adapt to registration the usage of S-Bombs. And as a result, attention to S-Bombs is increasing. Following the lead of these regions, expectations for the use of S-Bombs are growing in Japan as well. And today, based on these recent trends, I would like to give an overview of the current status of S-Bombs in Japan. As an activity on the ministry side, a Japanese government agency established a task force to promote cyber security measures and discuss about S-Bombs and evaluate by POC and publish new guidelines for companies. I would like to make an introduction after this. On the other hand, OPP chain is close in the industry communities and is very active in Japan. On this point, Kobo-san will explain details after my part. In this, let me introduce the activities of METI, which is a Japanese government agency that continues to study S-Bombs. In 2019, task force was established at METI to ensure cyber security throughout the supply chain. And after executive order 14028 was issued, they are still researching and publishing reports on the global situation regarding S-Bombs. And 2021, a collection of case studies on security measures when using OSS, it mainly from major Japanese companies, is published. This casebook would be a useful document for many companies to consider the risk of OSS. And in 2022, a proof of concept on S-Bombs has been conducted. This was an experiment to evaluate the effectiveness of creating the S-Bombs manually or using free tools or commercial tools to evaluate the effectiveness of S-Bombs. I think this experiment was a fair assessment of the effectiveness of the S-Bombs. And last one, in 2023, a guide on S-Bombs was released in July. This guide is mainly for software suppliers and summarizes the benefits of implementation of S-Bombs. And in this slide, I will talk to the collaboration with industrial companies. First, I want to highlight the task force that includes experts from industry, academia, and government agency. This group is dedicated to ensure the security and has been working to promote best practices. And second, a case study was published that interviewed 20 major Japanese companies about their efforts to ensure security. This study covers points such as OSS license and vulnerability issues, as well as supply chain risk control, and includes several informative case studies. Legal cybersecurity related to medical devices, they are continuing efforts for domestic use based on the IMDRF guideline. And in August 2023, five major Japanese telecommunication companies announced that they have been by the agency to conduct a demonstration project for the introduction of S-Bombs. This is, I think this is a significant step forward in cross-sectional efforts to secure the devices. We think it will be great if this kind of collaboration between government, government agency and industry could continue in the future. And next, I will ask Kobutsu-san about the Open Chain Initiative in Japan. Please, Kobutsu-san. Okay, thank you, Yoneshima-san. And I'll explain it. Firstly, some of you may know about the Open Chain project. And Open Chain project, you know, maintaining and providing two standards for realizing, creating a reliable and trustable software supply chain from the process management perspective. And the Open Chain project has, is providing, not only providing specifications, but also the, some many allocation materials and some actual use cases for supporting these two standards. Thank you. And the next is Japan communities. Open Chain Japan Working Group is established by Hitachi, Sonya and Toyota in December 2017, about five years ago. And for sharing the best of practices and resolving common issues for open source license compliance in our Japanese industry. And now, more than 200 people from 80 companies participating in Japan Working Group, of course, including Yoneshima-san from NEC and Cyber Trust Japan. Tomita-san is belongs to Cyber Trust Japan. And of course, I belong to Sony Group. And one policy is existing. We are discussing in Japanese local language, but we output some materials in both in English and Japanese. So we can contribute to the global community, Open Chain project, global community. And the next is about the SBDX. I'd like to explain the history of regional activities for the SBDX project. In the past years, we met, some industries members met the hardest situation. We sometimes can't receive the OSS license information properly from our suppliers, because our suppliers doesn't know about not only the open source license compliance, but also they are not and familiar with some tools creating and operating open source software. Because and we, at the same time, we met the SBDX specification and investigates these specifications. From the license compliance perspective, full SBDX specification, it includes a bunch of information inside it. It is very difficult to operate and difficult to understand for our suppliers. So in the past, we promote and collaborate with SBDX project members and we pick up some minimum required elements and contribute to the SBDX project. And now it was merged as a subspecification of SBDX. It called SBDX Lite. And now SBDX project team are discussing and nearly releasing SBDX version 3.0. And this left top slide is presented at open source summit Europe 2023. And this document describes SBDX 3.0 is simple and flexible. I think it is very effective and it is very simple and flexible for when we handled it by some tools or some software. But the architecture is a very big change from the previous version. So it doesn't mean everyone can easily understand the specification and easily operate. And from our investigation compared to version 2.3, the specification is much more complex and much more difficult to understand. So this is our solution. We at first translate into Japanese several presentation materials presented at the open source summit or SBDX mini summit and so on and share them to the local community OpenChain Japan S-Bomb SC and Automation SG. And after that we investigate by engineers to understand the SBDX architecture. Right hand is the actual SBDX model and translate into Japanese to for understanding the structure. And we have the local meeting regularly. I'm not sure but we had about once every two weeks hybrid type. And I'd like to introduce brief introduction created by us. This is a basic to understand the SBDX version 3.0. SBDX previous version is described only tag and value list. But SBDX 3.0 is represented as a cross model. So if you are an engineer you can understand easily. We need to check at first package class for example. But the package class is inherit abstract class. So we need to check if we implement the package class into S-Bomb, we need to check all elements inherit upper class. These are all elements we needed to implement only in the package class. After that we created the JSON schema and highlight minimum required element in the SBDX specification. And share of course these documents to our community. This is a package class and this is a relationship class and so on. And we will, we've already shared this material on the SCAD. So you can take this document and you can refer these learning materials from our GitHub repository. And current situation we collaborate with SBDX global community and light profile website is published two or three days before. And we are now sending a PR to the global community and the PR is for light profile is in progress now. That conclusion for my part there are many things we learned but two pros and one cons I'd like to introduce. The first pros is sharing knowledge in a local language allows more people to know the specification and more people to participate in discussions. And the second pros is having friends. We have all friends in Japan community so who support you in local language lowers to thresholds to participate to the global community. It's a very good situation. And on the other hand one cons is existing. It may take a longer time to reach consensus in local community. So it causes the delay for the global community discussions. So I recommend you if you do such like community activities at least the leader should be attending the global community and catch up with the latest specification. Thank you. It's all my fault. Next. Tomita san. Thank you. Finally I would like to show you how to work a nice phone in Japanese companies and summarize what the future prospect as a member of OpenChain Japan working group. We are talking about that. As you mentioned before there is currently no law in Japan at this time but we are already in a situation to deal with that. So in addition we specification has been already released by the community but exactly how to operate the S-Bomb has not been decided in Japan. So let's see how is it operate in the actual Japanese company. So could you explain at NEC? Thank you Tomita san. On this page I would like to introduce NEC's governance for open source. First our OSS governance is divided into three tiers. The first tier is the global policy that all employees including top management and non-developers, non-developer roles as well as must understand. This policy is a simple one page summary of our basic stance on OSS emphasizing the importance of compliance with OSS related laws and regulations and respect for the OSS community. Then middle and low documents exist to ensure compliance with this top policy. The second tier is a set of guidelines aimed primarily at managers and middle-level employees and contains specific ways to consider and utilize OSS. Finally the most detailed tier consists of documents that outline processes such as specific OSS risk assessment methods for methods and support measures and violation process with tools. My point in this page is while the use of OSS requires close attention to risk establishing a development process can sometimes be complicated. Therefore creating such a hierarchical document may help to improve internal understanding. And I also think the point is both bottom-up and top-down approach are effective in promoting the concept among employees. And next I recommend for S-Born related efforts in this slide. First we need to promote guideline regarding S-Born. It is necessary to harmonize with the existing PISAD processes and the processes when utilizing OSS. I suggest a small start will be better. PISAD stands for Product Security and Incident Response Team. This is a team responsible for security response to the company's products. Second is education such as an e-learning. In our case we provided mandatory e-learning for entire company. We educated all employees on general knowledge of OSS and S-Born. And now I look back on it as an effective education. And there are some unfavorable reactions in our case but I think it is important to educate while accepting such reactions. At the end of my message we consider the response that company should take. The situation remains unchanged and it is difficult to do conclusion but let's keep a close eye on development and take an action. The one step is to create your own S-Born. Also the initial cost is high. The implementation of the two is practically essential for risk mitigation. And second let's also make sure that the living processes not just Engine 2 is an ongoing challenge. And the situation of receiving the S-Born from external resources should also be considered. First we should focus on the point that S-Born is machine-readable and aim the systematized mechanism to identify OSS components and cost vulnerability information from S-Born. I would also like to emphasize the importance of cooperation with PESA team. Okay so there was a recommendation from NEC. Thank you very much for listening to next. Please introduce CyberJoyce Japan. Thomas-san please. Okay I'll talk about CyberJoyce Japan CyberJoyce Japan is in the open source based business certification business and IOT security business. So it is heavily involved in open source supply and security. So we are participating in the OpenSSF since 2021. OpenSSF is under the Linux foundation and OpenSSF is a project that aims to improve open source software security. So I will show you how we are working on S-Born from the perspective of the company participating in OpenSSF. 2022 three of our goals of the project and 10 mobilization plans for this open source of the security have been agreed. CyberJoyce Japan has focused on three of these 10 mobilization plans which are relevant to our business and has been contributing them since last year. We have created task teams under the leadership of Ospo. Then we chose three projects digital signatures S-Born everywhere and improved software supply chains. And based on the contributions to these open source projects we are implementing our in our systems like creating S-Borns and educate for employees and we share use cases like in the open chain Japan communities. For S-Born operations we are implementing S-Born generation tools into our own supply chain and creating use cases. In this afternoon we have a session about that so if you are interested in you can listen to this session. One thing we can learn from our activity is based on this OpenSSF mobilization plan for all supply chain security we can work on improvement with the entire software supply chain in mind. So although this is like a project by project effort but we will in the future we will work to connect each project and deepen the collaboration between the OpenSSF and OpenChain or SDDX project. For example it could be S-Born signature digital signatures on S-Borns or S-Borns for vulnerability management. That's all about CyberTrust Japan initiatives. As we have seen the examples of NEC and CyberTrust Japan and also Sony companies have already begun to implement S-Born in Japan. It's important not only to keep the experience in each company but also to make it deepen collaborate with government industry and the community. And I would say it's same as between communities like OpenSSF and OpenChain project. And currently the community is creating specifications such as S-BDX light profile while government is conducting demonstrations and other experiments and developing laws or regulations and for those who actually create the S-Borns we think one of the main motivations of creating S-Born is because the laws and regulations. So we believe that if we cooperate more deepen and make it make the operation policy easier in Japan for Japanese companies to understand it will lead to more spread of S-Born utilizing. And this is what OpenChain Japan working group, OpenChain project will be working on in the future. First of all we will create educational materials as Kobota-san explained earlier. We are making S-BDX 3-O materials and so we can work to help people to understand the specification. And next we will share the use cases. We will share the use cases within the community to understand issues and solutions to operating S-Born just as we shared how we're operating within our company this time. And then we collaborate with government industry and other communities. We believe that by sharing what we have gained from our activities with communities like and cooperating with them we will be able to sort out operational issues and and make operations more in line with actual conditions. So we would like to focus on these activities in the future. Lastly the two things we want you to do is are please join us and please collaborate with OpenChain working group, OpenChain project. That's all for our presentation. Thank you. Does anyone have questions? Thank you very much. It's a very good speech and I have a question regarding this S-BDX light. When you define this element for this S-BDX light, this yellow part, all these yellow fields can be generated by the current commercial scanning tool by default? No. Firstly we checked our requirements from the license compliance. So we need to conclude the license, declare the license, and then check it one that way. And from the S-BDX specification itself requires us some elements are already required elements. So we created the JSON file, JSON schema file by manually and using some tools to visualize these figures. These two figures are created by manually. But of course we are using some tools. So in the future with this S-BDX light will become... What we think now is we contributed S-BDX light profile to the S-BDX community. After that we create the process management in the OpenChain specification. If you are using this light profile in some specific industry, you need to do this, you need to provide light profile and you need to append it and combine with the security profile and so on. This is some process management guideline. It will be provided from the OpenChain project, I think. Okay, I see. So it's like this worker have the proposal for this S-BDX light and then become to the OpenChain specification and then the market commercial tool will according to this specification and build their tooling to support this for automation maybe. Yes, I think so. But at this moment it's a local community activities. So we needed to ask Shane these activities. Thank you. Thank you. Thank you for the presentation. Question for the S-BOM. In this moment we have two formats. We have S-BDX and we have Cyclone DX. How did you decide on using S-BDX and how can you incorporate Cyclone DX information that will come from a software provider? We think both specification is good and the company person selects which specification. But we are now active, take initiative in the Linux Foundation project. So we collaborate with S-BDX project. But of course we are joined Cyclone DX community and learn the specification from the website or Slack and so on. So at this moment we don't have the colleagues in our community who is well know and understand Cyclone DX specification well. So we need more colleagues to the community. Okay, make sense. Thank you. Thank you so much for your presentations. I have one question relating to the previous question. So according to the discussion between Mary-san and Koboto-san, you argued about some kind of specification in the open chain. Sorry. Sorry. I had a mistake. We will create a guideline. It's not specification. In the context of the open chain? Yes. I think so. So on the other hand the S-BOM specification would be summarized in the S-BDX workgroup. Yes, like. Thank you. Thank you for the presentation. So yeah, I think the S-BDX like the S-BDX 2.0 version 2 is a great contribution to the especially the industries, actually industries. So and I think the light profile for the S-BDX 3.0 is also the very good way to bridge between the S-BDX version 2 and 3.0. Yeah, but that's yeah. From a model perspective, it should be great. So from the serialization perspective, so yeah, the S-BDX light is very easy to write, describe the S-BOM to use their chug value, takes format or excels, excels format. So that's the S-BDX 3.0 is a little difficult to describe in such as the easy format. So that's yeah, I think I wonder. So that's my the tiny idea. So if only using the vocabulary of the light profile and the S-BDX 3.0 may be able to write the more simple like serialization format. Yeah, yeah. We are now discussing but yeah, yeah. So yeah, it can be another very good way to move to the more practical S-BOM distribution or utilizing the S-BDX 3.0. So yeah, I want to see yeah, such progress and I yeah, I'd like to, if possible, to contribute something. Okay, thank you. Thank you very much. It's a time? Okay, it's a time to finish. Thank you very much. Thank you very much. Thank you very much.