At TrustSource our aim is to almost free our customers from the work related to open source compliance. This is one of the major reasons why we introduced the legal service, capable of resolving the obligations related to a particular project situation.
However, compliance as well as open source risk management are more complex than just resolving license obligations. While our initial work grows in breadth (more and more specific licenses are analysed) and depth (additional criteria appear and rules are identified) the overall solution also grows in functionality and complexity.
We have introduced additional scanning services, we improved and extended data supply and recently added a new API (v2) to better interact with automation tooling. Our next focus will be on the following aspects:
- Verifiable documents:
Already today it is possible to use TrustSource for publication of SBOMs, Notice Files or CSAF VEXs. However, the nature of these documents is to be distributed. Whenever someone receives such a document the question of validity, integrity and actuality occur. Our verification API will allow to resolve these questions with simple request. You will be able to verify any document provided to you as well as retrieve the originals.
- Risk, Threat and Security Management:
One differentiator between TrustSource and its competitors is, that TrustSource does not only support the compliance of a particular artefact but a complete solution. This comprises all that goes either into a service or will be sold to the customer as a solution, e.g. infrastructure such as databases, additional 3rd party software or proprietary code.
This builds a unique view of the solution allowing a sound Threat and Risk Assessment, while even generating additional documentation. From the knowledge already provided to TrustSource it will be possible to run guided STRIDE assessments, enhance architectural drafts with known vulnerabilities appearing over the lifetime and support the treatment of them on a risk based approach.
- Managed OSPO:
Since the wave of compliance requirements is about to swosh from the larger 1st tier companies to the 2nd tier companies, which typically do not have the resources to setup large OSPOs to manage the stuff. Thus, demand for a managed service will occur. This can be addressed via our OSPOaaS Offering.
For more information and feature requests, feel free to contact support at email@example.com We will be happy hearing from you!