Using open source code helps development teams save time and tap into the knowledge of domain experts who contribute to open source projects. Synopsys engages with open source security initiatives in multiple areas including best practices, information sharing, license compliance, software Bill of Materials (SBOM), API standardization, and more.
To help raise the bar for open source software security and stay informed about the latest development innovations, Synopsys employees serve or have served as subject matter experts for open source community initiatives—including working groups, programs, and projects related to open source governance, adoption, and success. These initiatives are listed below.
Automotive Grade Linux (AGL) is a collaborative open source project that brings together automakers, suppliers, and technology companies to build a Linux-based, open software platform for automotive applications that can serve as the de facto industry standard. Adopting a shared platform across the industry reduces fragmentation and allows automakers and suppliers to reuse the same codebase, which can lead to rapid innovation and faster time-to-market for new products. AGL is a project of the Linux Foundation.
Although initially focused on infotainment, AGL is the only organization that plans to address all software in the vehicle, including infotainment, instrument cluster, head-up display (HUD), telematics/connected car, advanced driver assistance systems (ADAS), functional safety, and autonomous driving.
AGL members include the world’s leading car manufacturers and suppliers that support the development of open source software solutions for automotive applications. AGL is an open community of developers, automotive companies, operating system vendors, semiconductor vendors, academics, and system integrators who collaborate to enable the next generation of in-vehicle software systems.
The Cloud Native Computing Foundation (CNCF) builds sustainable ecosystems for cloud native software by hosting critical components of the global technology infrastructure. CNCF brings together top developers, end users, and vendors; runs the largest open source developer conferences including KubeCon; and is part of the nonprofit Linux Foundation. CNCF serves as the vendor-neutral home for many open source projects including Kubernetes, Prometheus, and Envoy.
CNFC provides the recommended path through the vendor landscape including the cloud native landscape, serverless landscape, and member landscape.
OpenShift Kubernetes Distribution (OKD), also referred to as Origin in GitHub and GitHub documentation, is a distribution of Kubernetes optimized for continuous application development and multitenant deployment. OKD adds developer and operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term life cycle maintenance for small and large teams. OKD is a sibling Kubernetes distribution to Red Hat OpenShift. It embeds Kubernetes and extends it with security and other integrated concepts.
The OpenChain Project maintains the international standard for open source license compliance that enables companies to adopt the key requirements of a quality open source compliance program. The OpenChain Project has a diverse, global, commercial partner network.
The OpenChain automotive working group includes participants from major automotive companies and supplier companies, from silicon to completed components. It worked with ISO/IEC JTC 1 for information technology (IT) to develop the ISO/IEC 5230 IT open source specification, formerly known as OpenChain 2.1, which is an international standard for open source compliance.
The Open Invention Network (OIN) is the world’s largest patent nonaggression community and free defensive patent pool. OIN removes patent friction in core open source technologies, which drives higher levels of innovation. It is also an important deterrent to trolls and provides certainty and confidence.
OIN community members include global organizations, from startups to global Fortune 500 enterprises across all industries, that show their support of open source and patent nonaggression and for royalty-free access to Linux system patents and applications.
OpenShift Commons enables users, partners, customers, and contributors to work together on the adoption and success of Red Hat OpenShift. OpenShift Commons builds connections and collaboration across OpenShift communities, projects, and stakeholders to enable the success of customers, users, partners, and contributors, and collectively deepen knowledge and experiences.
The Core Infrastructure Initiative (CII) is a project hosted by the Linux Foundation that helps support best practices and the security of critical open source software projects. CII worked with the Laboratory for Innovation Science at Harvard (LISH) on the Census Program II to develop “Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software.”
The ongoing work of CII is transitioning to and being replaced by the Open Source Security Foundation (OpenSSF). OpenSSF provides tools, services, training, infrastructure, and resources to achieve a future where participants in the open source ecosystem use and share high-quality software with security handled proactively, by default, and as a matter of course. Linux Foundation membership dues support OpenSSF with targeted organization contributions to support initiatives.
The Open Web Application Security Project (OWASP) Foundation is a nonprofit that works to improve open source web software security. Through community-led open source software projects, worldwide local chapters, members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. Corporations, foundations, developers, and volunteers support the OWASP Foundation and its work through corporate memberships and sponsorships.
OWASP local chapters build community for application security professionals around the world.
The OWASP Top 10 is a standards awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP Application Security Verification Standard (ASVS) project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
The Software Package Data Exchange (SPDX) is an open source working group of the Linux Foundation made up of teams including core, technical, legal, and outreach. SPDX is an open standard for communicating software Bill of Materials (BOM or SBOM) information, including components, licenses, copyrights, and security references. The SPDX specification reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance.
The Tool-to-Tool Software Bill of Materials Exchange is a joint working group of SPDX, the Consortium for Information and Software Quality (CISQ), and the Object Management Group (OMG) working to develop a standard that defines an SBOM and other items needing BOMs.
Uptane is an open and secure software update system design that protects software delivered over the air (OTA) to the computerized units of automobiles. Uptane is a Joint Development Foundation project of the Linux Foundation, operating under the formal title of Joint Development Foundation Projects, LLC, Uptane Series. Uptane is supported by U.S. DHS grants D15PC00239 and D15PC00302.
It develops the Uptane standard for design and implementation to manage OTA software update integrity and security for automotive OEMs. Following a United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29) mandate, all automotive OEMs must adopt a framework for this requirement.
The Web Application Security Consortium (WASC) is a 501c3 nonprofit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed-upon best-practice security standards for the world wide web.
The Zephyr project is a neutral open source collaboration project hosted by the Linux Foundation that unites developers and users to build a best-in-class, small, scalable, real-time operating system (RTOS) optimized for resource-constrained devices across multiple architectures. Silicon vendors, OEMs, ODMs, ISVs, and OSVs can contribute technology to reduce costs and accelerate time to market for connected embedded devices including simple connected sensors, LED wearables, modems, and small wireless gateways.
As an open source project, the community evolves the project to support new hardware, developer tools, sensors, and device drivers. It frequently delivers improvements to incorporate enhancements in security, device management capabilities, connectivity stacks, and file systems.
Zephyr Project members engage with the community to explain why they support the project and demonstrate how membership can help organizations achieve their goals to design and deploy embedded and IoT products and services.