The Value Of OSS Management For Risk Mitigation

Transcript

1. Value Of OSS Management For Risk Mitigation Ana Jiménez, Linux

   Foundation Daniel Izquierdo, Bitergia

2. Daniel Izquierdo Cortázar CEO at Bitergia President @ InnerSource Commons

   Foundation Board Member @ CHAOSS Board Member @ Apereo Foundation [email protected] | @dizquierdo Ana Jiménez Santamaría Project Manager, Linux Foundation MSc in Data Science - Thesis on measuring the impact of DevRel in the sustainability of OSS Communities [email protected] DevRel Foundation

3. Digital Stack Layers Are Built in Open Source Source: https://www.euro-stack.info/#eurostack

4. Open Source Components Digital Stack Layers Are Built in Open

   Source Source: https://www.euro-stack.info/#eurostack and

5. How should organizations manage risk in the Software Supply Chain?

6. Organization’s Products Open Source Components Software Supply Chain Funnel 98%

   Source:https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-securit y-risk-analysis/ and https://github.com/todogroup/ospo-career-path/tree/main/OSPO-101/module6

7. Software Supply Chain Attacks on the Rise

8. Are organizations Equipped to Manage Risk?

9. Definition

10. Treating adopted OSS technology as pure risk “We can’t control

    OSS technology. We need to get rid of it” vs Treating adopted OSS technology as {Partners} “We can manage OSS technology. We must partner with their community” Two Visions Fear-Driven Action-Driven

11. Build partnerships with open source communities? Are organizations Equipped to

    Manage Risk? Data and AI Software Source: https://www.euro-stack.info/#eurostack

12. Open Source Management Talent is Cross-Skilling OSS Talent to Manage

    Risk https://todogroup.org/blog/state-of-ospo-2024/

13. Getting Started

14. One Size Does Not Fit All Risk Management Varies By

    Industry Risk management strategies differ across industries, with varying importance placed on different variables. By Size Large organizations face unique challenges in risk identification and prioritization. What is my orgs ROI?

15. Identify OSS Risks Risk Management Process ASSES TREAT 02 MONITOR

    AND REPORT 03 04 01 IDENTIFY

16. Overall health of open source projects with project health tracking

    tools CHAOSS toolkit https://deps.dev/

17. Risk Management Process 01 TREAT MONITOR AND REPORT 03 IDENTIFY

    04 ASSES 02 Evaluate OSS Risks

18. Customer

19. How is your relationship? How much do you know the

    community structure of the project? Is it maintained? Software needs continuous maintenance. Is there evidence that its developers work to make it secure? https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide -for-Evaluating-Open-Source-Software.md#readme OSS Projects Independent Umbrella Foundation Single Foundation Foundation Project (P) P1 P2 P…N P1 P2 Foundation P1 P2 Community Structure A Community Structure B Community Structure C Community Structure D

20. How is your relationship? How much do you know the

    community structure of the project? Is it maintained? Software needs continuous maintenance Is there evidence that its developers work to make it secure? https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide -for-Evaluating-Open-Source-Software.md#readme OSS Projects Independent Umbrella Foundation Single Foundation Foundation Project (P) P1 P2 P…N P1 P2 Foundation P1 P2 Community Structure A Community Structure B Community Structure C Community Structure D

21. How is your relationship? How much do you know the

    community structure of the project? Is it maintained? Software needs continuous maintenance Is there evidence that its developers work to make it secure? https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide -for-Evaluating-Open-Source-Software.md#readme Overall health of open source projects with project health tracking tools CHAOSS toolkit

22. Overall health of open source projects with project health tracking

    tools CHAOSS toolkit How is your relationship? How much do you know the community structure of the project? Is it maintained? Software needs continuous maintenance. Is there evidence that its developers work to make it secure? https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide -for-Evaluating-Open-Source-Software.md#readme

23. Security for Software Development Managers (LFD125) • Why security is

    important in software development • Key things managers of software developers must do • Introduction to security concepts • Applying security to your projects

24. ASSES 02 Risk Management Process 01 MONITOR AND REPORT IDENTIFY

    04 TREAT 03 Prioritize OSS Risks Strengthening the OSS community Contributions made today shape the organization stability tomorrow

25. OSPO in Action – FOSS Funds Movement Organisations creating FOSS/Open

    Source funds initiatives to ensure the sustainability of open source projects

26. Digital Sovereignty, Security and Collaboration Digital sovereignty and open source

    collaboration– How can we implement a more structured way of doing open source collaborations to enable digital Europe? Building better digital products and services through Open Source and InnerSource – How did our organization use open source or InnerSource to achieve its objectives? What worked and what didn't? Implementing trust, security, and sustainability within your org’s software supply chains – exchanging experiences, and capturing lessons learned Group Problem Solving CHAOSS – Augur & GrimoireLab ZENDIS – OpenDesk & OpenCode VWS Dutch Open Source Business Alliance NLNET InnerSource Commons – ISC Patterns OpenChain Tooling WG – REUSE, ORT, ScanCode Getting Started Workshops A reduced-size group for driven outputs – limited to 80 seats only

27. Digital Sovereignty, Security and Collaboration RSVP: https://community.linuxfoundation.org/events/details/lfhq-ospology-eur opean-chapter-presents-ospologylive-amsterdam/

28. TREAT 03 ASSES 02 Risk Management Process 01 IDENTIFY MONITOR

    AND REPORT 04 Mitigate OSS Risks

29. Let’s focus on a real use case with Kubernetes dependencies

    (Next slides are based on this presentation at OCX 24) USE CASE

30. How do we know the unknown?

31. Indicators for Risk: “Under-maintained Projects” “Community Smells” include 7 metrics:

    • Community cannot handle workload ◦ Backlog Management Index ◦ Review Efficiency Index • Community does not address work quickly ◦ Median Lead Time for Issues ◦ Median Lead Time for Pull Requests • Community lacks sufficient talent ◦ Retention Rate ◦ Growth of Active Contributors ◦ Contributor Absence Factor (aka Bus or Pony Factor)

32. A single Risk Score per OSS library 7 CHAOSS metrics,

    including: lead-times, growth-of-contributors, BMI Aggregate into one score for each dependency

33. Risk Model - Aggregate By Component

34. 34

35. 35

36. 36

37. 37

38. Final Remarks Open source adoption has a cost and by

    adopting a random technology (as random as Kubernetes might be) you’re bringing home the whole SBoM Awareness and identification is critical. An SBoM by itself will be useless unless it has a purpose. Enrich the SBoM with the original repository where development takes place (maintenance and sustainability activity) Work and meet your critical providers, including those OSS Have a risk policy to manage this, but help them grow