Added self-certification checklist for Security Assurance 1.1

This is the first spin of the self-certification checklist for the Security Assurance Specification 1.1

Author: shanecoughlan

Self-Certification/Checklist/Security-Assurance-1.1/OpenChain Self-Certification Checklist 2022-10-14.md

@@ -0,0 +1,93 @@
+![](./media/image1.png "OpenChain logo")
+
+# OpenChain Security Assurance Specification 1.1 Self-Certification Checklist
+## The Simple Way To Check Conformance
+
+Revision 1\
+2022-10-14
+
+# Introduction
+
+The OpenChain Security Assurance Specification is intended to identify and describe the key requirements of a quality Security Assurance Program in the context of using Open Source Software. It focuses on a narrow subset of primary concern: checking Open Source Software against publicly known security vulnerabilities like CVEs, GitHub/GitLab vulnerability reports, and so on.
+
+You can adopt the OpenChain Security Assurance Specification by self-certification in your own time or working with a service provider for independent assessment or third-party certification. Our recommended path is self-certification and we provide this document to support this with a series of "yes" or "no" statements. If you can answer "yes" to everything, you are self-certified. If you answer "no" to some items, you know where to invest further time to build a quality program.
+
+We have a lot of resources to support you if you need assistance. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language. You can get started here:
+
+[[https://www.openchainproject.org/community]{.underline}](https://www.openchainproject.org/community)
+
+Finally, if you want direct support from the project you can email
+[[[email protected]]{.underline}](mailto:[email protected])
+with questions. We provide support for free. The OpenChain Project is funded by our Platinum Members and is designed to help support the global supply chain transition to more effective and efficient open source license compliance.
+
+# The Self-Certification Checklist
+
+## Section 3.1.1
+
+- [ ] We have a policy governing the open source security assurance of Supplied Software.
+- [ ] We have a documented procedure to communicate the existence of the open source policy to all Software Staff.
+
+## Section 3.1.2
+
+- [ ] We have identified the roles and responsibilities that affect the performance and effectiveness of the Program.
+- [ ] We have identified and documented the competencies required for each role.
+- [ ] We have identified and documented a list of Program Participants and how they fill their respective roles.
+- [ ] We have documented the assessed competence for each Program Participant.
+- [ ] We have a way to document periodic reviews and changes made to our processes.
+- [ ] We have a way to vertify that our processes align with current company best practices and staff assignments.
+
+## Section 3.1.3
+
+- [ ] We have documented the awareness of our Program Participants on the following topics:
+
+- - [ ] The open source security assurance policy and where to find it;
+- - [ ] Relevant open source objectives;
+- - [ ] Contributions expected to ensure the effectiveness of the Program;
+- - [ ] The implications of failing to follow the Program requirements.
+
+## Section 3.1.4
+
+- [ ] We have a written statement clearly defining the scope and limits of the Program.
+- [ ] We have a set of metrics to measure Program performance.
+- [ ] We have Documented Evidence from each review, update, or audit to demonstrate continuous improvement.
+
+## Section 3.1.5
+
+- [ ] We have a method to identify structural and technical threats to the Supplied Software;
+- [ ] We have a method for detecting existence of Known Vulnerabilities in Supplied Software;
+- [ ] We have a method for following up on identified Known Vulnerabilities;
+- [ ] We have a method to communicate identified Known Vulnerabilities to customer base when warranted;
+- [ ] We have a method for analyzing Supplied Software for newly published Known Vulnerabilities post release of the Supplied Software;
+- [ ] We have a method for continuous and repeated Security Testing is applied for all Supplied Software before release;
+- [ ] We have a method to verify that identified risks will have been addressed before release of Supplied Software;
+- [ ] We have a method to export information about identified risks to third parties as appropriate.
+
+## Section 3.2.1
+
+- [ ] We have a method to allow third parties to make Known Vulnerability or Newly Discovered Vulnerability enquires (e.g., via an email address or web portal that is monitored by Program Participants);
+- [ ] We have a an internal documented procedure for responding to third party Known Vulnerability or Newly Discovered Vulnerability inquiries.
+
+## Section 3.2.2
+
+- [ ] We have documented the people, group or functions related to the Program.
+- [ ] We have ensured the identified Program roles have been properly staffed and adequate funding has been provided.
+- [ ] We have ensured expertise available is to address identified Known Vulnerabilities;
+- [ ] We have a documented procedure that assigns internal responsibilities for Security Assurance.
+
+## Section 3.3.1
+
+- [ ] We have a documented procedure ensuring all Open Source Software used in the Supplied Software is continuously recorded across the lifecycle of the Supplied Software. This includes an archive of all Open Source Software used in the Supplied Software.
+- [ ] We have open source component records for the Supplied Software which demonstrate the documented procedure was properly followed.
+
+## Section 3.3.2
+
+- [ ] We have a documented procedure for handling detection and resolution of Known Vulnerabilities for the Open Source Software components of the Supplied Software.
+- [ ] We have open source component records for the Supplied Software which track identified Known Vulnerabilities and action(s) taken (including even if no action was required).
+
+## Section 3.4.1
+
+- [ ] We have documentation confirming that the Program meets all the requirements of this specification.
+
+## Section 3.4.2
+
+- [ ] We have documentation confirming that Program conformance was reviewed within the last 18 months.