Defining the limits of Risk

Transcript

1. Software Development Analytics Defining the Limits of Risk OSS Summit

   EU 2022 Daniel Izquierdo Cortázar

2. CEO @ Bitergia Governing Board @ CHAOSS VP @ InnerSource

   Commons Foundation https://www.linkedin.com/in/dicortazar/ [email protected] @dizquierdo

3. “[...] Risk involves uncertainty about the effects/implications of an activity

   with respect to something that humans value [...]” Wikipedia dixit
4. None

5. All the source code in your company

6. All the source code in your company In house

7. All the source code in your company Outsourced In house

8. All the source code in your company Outsourced In house

   OSS Commercial

9. All the source code in your company Outsourced In house

   OSS Commercial OSS / No support

10. Corporation Key Provider Yet Another Key Provider Provider Key Provider

    In House Outsourced OSS Commercially supported Adopted OSS

11. Assumption: You want to have a healthy providers ecosystem

12. In House Outsourced OSS Commercial Support OSS with no Support

    How do you take care of risk?

13. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… code quality, security scanners, internal process, and others

14. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… financial status, source code (if provided), people involved and expertise, NDA in place, code security rules, …

15. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… Outsourced + checking the code, compliance

16. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… checking the code, compliance, closer to in house development?

17. In House Outsourced OSS Commercial Support OSS with no Support

    But there are missing points: How can I check the financial stability of these projects? What is their history? Can I talk to someone there? Who are they?

18. Corporations have several ways to interact with OSS communities. TODO

    bring here the picture of the ways companies interact and measure risk

19. Assumption: You want to have a healthy providers ecosystem

20. OSS is part of any corporation ecosystem Indeed, a big

    percentage of the existing source code is third party source code, either proprietary or OSS.

21. How are we taking care of the risks associated to

    a provider? Finances status, legal situation, even perhaps exclusive provider in certain markets, and others Then we trust the provider, even with cases where source code is not even provided as for example in the automotive industry with a lot of secrecy

22. All the source code in your company Outsourced In house

    OSS Commercial OSS / No support

23. All the source code in your company Outsourced In house

    OSS Commercial OSS / No support

24. What do you do with the OSS code you use

    but that is not under any commercial relationship, or when there is not a company behind it?

25. What do you do with the OSS code you use

    but that is not under any commercial relationship, or when there is not a company behind it? You take it, create an internal product, and after certain risk analysis, you move forward and this is part of thee official and internal tech. stack.

26. Open Source World Within the walls of the Organization

27. Open Source World Within the walls of the Organization

28. Open Source World Within the walls of the Organization

29. Open Source World Within the walls of the Organization

30. Open Source World Within the walls of the Organization These

    are great, excellent, and lovely internal products used across the organization

31. Open Source World Within the walls of the Organization They

    are not that great anymore…

32. SupplyChainCon Track, welcome!

33. What are the areas of analysis? Reasons to adopt the

    technology and how to limit the risk of that adoption. Source code security analysis, continous checks, open soruce compliance, etc.

34. You are treating the adopted OSS technology just as a

    risk Have you considered working with those OSS communities as providers?

35. Countering Build Threats Source Code Level Problems Dependency Threats

36. Countering Build Threats Source Code Level Problems Dependency Threats Countering

    Community Threats

37. Can I define Community Threats as… Poorly maintained, lack of

    effort or time Project driven by just one company (or the other way around) Lack of engagement or high company turnover Lively community

38. Money? How can I have healthier providers? And even more,

    be aware of this?

39. Money?

40. Money?

41. Indeed, how can we measure risk of a provider that

    does not exist and that is no providing commercial services? Beyond the usual analysis of source code or compliance, have a look at other areas: activity, community, and process. And work with this community as this were another partner. It happens this should be done in a differnt way.

42. Some hints: Risk analysis - community sustainability, community health Actions

    to take - help those communities to be more sustainable, sit down at the table with them. Just pouring money to them is not the only solution, they may need marketing, or engineering cycles

43. Some hints: Consider looking at the project directly, there are

    a lot of them not covered under the umbrella of any OSSFoundation
44. None

45. Community Health Analytics for Open Source Software https://chaoss.community

46. OSS Tools to Analyze (OSS) Software Development Projects https://chaoss.github.io/grimoirelab/ Raw

    data Identities DB Enriched data Incremental datasets Historical data Focus on data, not on mining processes OSS metrics lake Metrics ready for consumption 30+ Data sources

47. SBoM (with git/github info) Community Threats / Metrics

48. https://github.com/chaoss/wg-risk/tree/main/focus-areas/business-risk

49. The general feeling is not to choose a particular OSS

    project if this is risky I say, grow with your providers

50. Software Development Analytics Defining the Limits of Risk OSS Summit

    EU 2022 Daniel Izquierdo Cortázar