More Scalability Through Open Source Hygiene
328 | Sat 02 Aug 11:45 a.m.–12:30 p.m.
Presented by
-
Ria Farrell Schalnat
https://www.hpe.com/us/en/open-source.html
I am delighted to work with the Open Program Office of Hewlett Packard Enterprise (https://www.hpe.com/us/en/open-source.html)! This role is the culmination of my prior lives as a computer programmer, lawyer and adjunct professor specializing in intellectual property subjects including open source.
Previously, I spent over three years at Amazon Web Services including working with their OSPO. I served as General Counsel and Director of Intellectual Property for a mid-size software and data center company (Vora Ventures). I provided counsel, advice and representation to numerous clients and specialized in patent portfolio management and prosecution, intellectual property due diligence for mergers and acquisitions, and software licensing for two regional law firms (Frost Brown Todd & Dinsmore). My technology practice built on my undergraduate degree in Computer Science and work experience as a computer programmer and ranged across billing, data management, customer relationship management, and speech technology applications. I spend additional time working on community initiatives for the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security (CISA), the Eclipse Foundation, the Linux Foundation including the Community Health & Analytics in Open Source Software (CHAOSS) project, SPDX Legal team, and the Open Source Initiative (Clearly Defined project).
I am admitted to practice law in Ohio, the U.S. Patent & Trademark Office, and in-house in Washington. While in private practice, I served for two years as President of CincyIP, a local bar association dedicated to intellectual property education. I served as adjunct professor at the University of Cincinnati School of Law and University of Dayton School of Law on subjects including Patent Litigation, Cyberspace Law and Open Source Licensing.
Ria Farrell Schalnat
https://www.hpe.com/us/en/open-source.html
Abstract
As more attention is paid to SBOMs through Executive Orders in the United States and legislation like the European Union's Cyber Resilience Act, being able to ingest, identify, evaluate and approve open source packages will be critical to scaling compliance operations as well as empowering developers by giving them an early heads up on the choices they are making in their solutions. SPDX identifiers provide a quick identification mechanism for the license utilized by a component. ClearlyDefined provides important provenance data including component source locations, licensing, attributions and more. GUAC provides tooling to enhance SBOMs with security and vulnerability data. CHAOSS provides health metrics associated with open source components. All of these projects allow the development of policies and empower developers to align their choices with personal or company preferences. This session will touch on all these projects and then walk through the process to assign an SPDX-ID to a license. When you leave, you'll know how to engage with the SPDX-Legal committee and how to respond to issues in their repo to get IDs assigned to licenses. Help US to help YOU to scale your open source compliance!
As more attention is paid to SBOMs through Executive Orders in the United States and legislation like the European Union's Cyber Resilience Act, being able to ingest, identify, evaluate and approve open source packages will be critical to scaling compliance operations as well as empowering developers by giving them an early heads up on the choices they are making in their solutions. SPDX identifiers provide a quick identification mechanism for the license utilized by a component. ClearlyDefined provides important provenance data including component source locations, licensing, attributions and more. GUAC provides tooling to enhance SBOMs with security and vulnerability data. CHAOSS provides health metrics associated with open source components. All of these projects allow the development of policies and empower developers to align their choices with personal or company preferences. This session will touch on all these projects and then walk through the process to assign an SPDX-ID to a license. When you leave, you'll know how to engage with the SPDX-Legal committee and how to respond to issues in their repo to get IDs assigned to licenses. Help US to help YOU to scale your open source compliance!