OSPOlogy Follow-up: How OSPOs Manage Change In Enterprises For Open Source Adoption #233
Replies: 9 comments 18 replies
-
|
Question from the chat: How does the US’ new Executive Order 14028, “Improving the Nation’s Cybersecurity” related to providing Bill of Material for the Open source components used in a software system affect OSPOs? |
Beta Was this translation helpful? Give feedback.
-
|
Interesting question and I remember from talking to friends who are OSPO that the SBOM is not something they own, but what they look at for dependencies to support potentially with upstream contributions or otherwise. |
Beta Was this translation helpful? Give feedback.
-
|
(and that Security owns the SBOM) |
Beta Was this translation helpful? Give feedback.
-
|
US government demands SBOMs from suppliers. However, this is not limited to the US government since this practice is also being widely adopted in the corporate world. |
Beta Was this translation helpful? Give feedback.
-
|
Question from the chat: Some companies have OSS to drive product purchase, how do you create more support for OSS for OSS instead of product purchase? |
Beta Was this translation helpful? Give feedback.
-
|
Not sure I understand this question. Did you say you could talk to this one, @jlprat ? |
Beta Was this translation helpful? Give feedback.
-
|
If the question is revolving around monetization of OSS, there are several ways of monetizing open source. Offering support, offering managed services, or offering "premium features" for paid customers (also known as open core). |
Beta Was this translation helpful? Give feedback.
-
|
Another security aspect of using Open Source is that you can inspect the code and know exactly what is the software doing with your information. Another benefit is that using Open Source you are free form any vendor lock-in mechanisms, usually found in proprietary software. |
Beta Was this translation helpful? Give feedback.
-
|
question from the chat: If you have a large amount of open source dependencies used by your company's applications: how to identify the critical (most important/strategical) ones to contribute back? Should I pay attention only to the direct dependencies or the transitive ones are also equally important? |
Beta Was this translation helpful? Give feedback.
-
|
I want to offer a maybe non-traditional answer to this question. One can chose to prioritize projects by business impact. To help gauge this, one can ask, "which projects would hurt us the most if their development stopped?" |
Beta Was this translation helpful? Give feedback.
-
|
question from the chat: Which resources/tools/methodologies have your OSPOs used to educate the developers regarding license compliance? |
Beta Was this translation helpful? Give feedback.
-
|
Recommend to re-use the https://www.openchainproject.org/resources but my suggestion is not to over-educate your developers e.g. have 100+ pages explaining the various open source licenses. Developers have already enough responsibilities and licensing is legal which many shades of grey compared to code which is black & white (true/false). Instead use a tool such as Linux Foundation's ORT to flag problematic licenses and give them exact instructions on how they can resolve any license compliance issue by themselves. |
Beta Was this translation helpful? Give feedback.
-
|
In my previous OSPO we provided developers with TL;DR versions of the license obligations and put this in our internal GitHub - speaking the language of developers rather than expecting them to be lawyers. These TL;DR notes were linked to the policy definitions in the SCA tool we were using. |
Beta Was this translation helpful? Give feedback.
-
|
TL;DR versions of the license obligations are nice but known how to satisfy them is another thing - we build a system with ORT that for 90% of the cases the pipeline based on specified product and delivery context will do satisfy the license obligations and do certain level of checks. My advise is to use a data-driven, risk-based approach to license and vulnerability management to reduce the effort required from development teams as low as possible but still be able to satisfy FOSS licenses, local laws and your organizations contractual obligations. Don't fall for the trap that you get a tool and your are done, doing highly automated compliance right requires quite advance tooling and every evolving complex policies. The OSPOs behind ORT are trying to make this simpler for all which is why we have open-sourced tooling + data + policy. |
Beta Was this translation helpful? Give feedback.
-
|
I've often heard orgs / OSPOs talking about how they have processes for reviewing requests to include open source in a product, i.e. dev teams need to get a package reviewed and approved before the package can be used in a product. Increasingly, the open source in a product comes from a large, dynamic tree of transitive dependencies that may change frequently. How do today's OSPOs cope with pre-approval of open source when a single direct dependency may pull in hundreds of transitive dependencies, which would also need approval? |
Beta Was this translation helpful? Give feedback.
-
|
The best way to handle this is to use SCA tools that can do deep dependency analysis and assess the entire dependency tree against policies that can assess the OSS components' compliance to security and legal requirements. This should happen as early in the development lifecycle as possible, so that developers can make informed decisions about what to use and what not to use. Of course, there will always be exceptions where a dev team needs to use a component that's out of policy - this is where the OSPO can weigh in and help find alternatives or grant exceptions based on the business use case. |
Beta Was this translation helpful? Give feedback.
-
|
You rang? |
Beta Was this translation helpful? Give feedback.
-
|
question from the chat: Do these OSPOs operate as a full-time function for the panel or are they part-time with other company responsibilities? |
Beta Was this translation helpful? Give feedback.
-
|
At Aiven, all OSPO members are full-time members of the OSPO and their work is 100% on the Open Source space. |
Beta Was this translation helpful? Give feedback.
-
|
at Microsoft we are full time members, but we also work with partner teams (legal, engineering) to get our work done. |
Beta Was this translation helpful? Give feedback.
-
|
At Postman, we have several people working full-time on Open Source projects that are not Postman's. I'm working full-time in the OSPO operations,and I'll hire more people in operations. |
Beta Was this translation helpful? Give feedback.
-
|
For those interested in deep dive into OSPO Metrics creation and improving existing open source tooling, CHAOSS & TODO are working together on this Working Group to make that happen 🙂 https://github.com/chaoss/wg-ospo |
Beta Was this translation helpful? Give feedback.
-
|
I am presenting some of our metrics work on the next one of these calls |
Beta Was this translation helpful? Give feedback.
-
|
question from the chat: Open Source Program Office OR Open technology program office?? I see Intel, IBM, Postman going for the latter. Is this change required to make it more inclusive for Open Data & Design? |
Beta Was this translation helpful? Give feedback.
-
|
@jansche ? |
Beta Was this translation helpful? Give feedback.
-
|
I'd go with OSPO to be honest. It's more comprehensive and I like that there's a standard. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Julian, I think a more accurate statement might be that the US Government is interested in requiring, agencies have the *option* of requiring, the requirement that Department of Homeland Security compel its vendors to do so was *removed* from the national security appropriation bill a few weeks back at the urging of private industry (who in short said they support but were not ready to meet the mandate).
Good summary here on the topic.
https://www.cyberscoop.com/dhs-sbom-adoption/
I would agree with a statement that it’s the direction everyone is headed, and once it biomes requisition for federal agencies then (within the USG scope) we’ll see it circle out to regulated industries. But it’s not a broad government demand at present writing. Work ahead.
Cheers,
Deb Bryant
… On Jan 18, 2023, at 3:03 PM, Julian Coccia ***@***.***> wrote:
US government demands SBOMs from suppliers. However, this is not limited to the US government since this practice is also being widely adopted in the corporate world.
—
Reply to this email directly, view it on GitHub <#233 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVN44WVCCXAMZCXEV7ISZ3WTBECBANCNFSM6AAAAAAT7HO4DA>.
You are receiving this because you are subscribed to this thread.
|
Beta Was this translation helpful? Give feedback.
-
Discuss with the community topics related to the upcoming OSPOlogy meeting:
📅 January, 18th ➡️ How OSPOs Manage Change In Enterprises For Open Source Adoption
Join Zoom Link
In this open space, people can:
Intro Presentation Slides
PDF
OSPOlogyS3 - Chapter1.pdf
Beta Was this translation helpful? Give feedback.
All reactions