Thomas Steenbergen
Thomas Steenbergen is the Head of Open Source Program Office at EPAM Systems (www.epam.com).
He is steering committee member and one of the co-founders/organizers of the European Chapter of the TODO group and co-founder of the OpenChain Automation Work Group - both industry working groups where companies collaborate to address shared open source challenges. He is also an active contributor to the SPDX ISO specification for over 5 years, helping to better match what developers find in code and incorporate security (leading the Defects WG). As a core contributor to the OSS Review Toolkit, he enables highly automated open source policy checks in CI/CD by providing easy, open-source & scalable tooling and to share results in open standard (SBoM) formats. He is a frequent speaker and panelist at various global open source conferences and is always happy to start a conversation around anything open source. Thomas has held a variety of technical lead roles over the past 15 years across the Netherlands, United Kingdom and Germany.
Sessions
Setting up or maintaining a FOSS compliance processes is not simple as most organizations use a wide variety of programming languages, code build tools and delivery methods. Ideally, you want to automate most of the compliance work but as most Open Source Program Offices (OSPO) have found out, there are often significant gaps between what is offered by most tools and what you would like to have. Given this, several OSPOs have been collaborating to build OSS Review Toolkit (ORT).
In this session Thomas demonstrates how one can use ORT to safely use, integrate, modify and redistribute third party software including FOSS in your software project(s). He will show a FOSS review from start to finish e.g. from scanning a repository for packages, licensing and vulnerabilities to fixing found issues and generating attribution documents, source bundles and SBOMs (CycloneDX/SPDX).
By the end of this session you should be able to replicate an ORT-based compliance process within your organization including automating your FOSS policy using Policy as Code and save process/review time by using an InnerSource-based review process and re-using FOSS clearance artifacts from the community.