Open source is a vibrant, promising area. According to a recent StackOverflow survey, developers see open source as the most proven technology. Open-source software (OSS) is now paramount to most development workflows, making up the bedrock of modern software infrastructure. OpenLogic’s 2023 State of Open Source Report found that organizations had increased their use of open-source software 80% over the last 12 months. In addition, OSS is essential for powering areas like AI and cloud-native DevOps technologies.
Yet issues with open source abound, including vulnerabilities within the software supply chain and a lack of funding around core projects. Not to mention, it can be challenging to understand the various OSS licenses and best practices for maintaining these dependencies.
Given the landscape, you can see why some might feel that open source warrants more leadership geared explicitly toward its adoption. I recently met with Javier Perez, Chief Open Source Evangelist at Perforce, to discuss open source leadership more in-depth. Below, we’ll consider how an organization might benefit from creating an Open Source Program Office (OSPO). We’ll also explore some of the roles an OSPO might have and outline the benefits of investing in open-source within your organization.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Organizations Begin to Take Open Source Seriously
“Since we’re building software and business on top of OSS, it’s a good idea to be more strategic about how to be a part of it, gain expertise, and contribute back to OSS,” says Perez. Organizations are starting to view OSS more strategically, and this is where open-source leadership comes into play.
To Perez, executive OSS leadership mirrors what we saw with the emergence of the CISO role some 15 years ago or so. At that time, more and more organizations were becoming digitized and thus had to deal with the advent of new cybersecurity concerns. Similarly, today, more and more organizations are doubling down on their strategy for managing a growing OSS landscape. This has led many, including Adobe, Box, Ericsson, Dropbox, and many others, to create an Open Source Program Office (OSPO), a dedicated group to oversee open-source practices within an organization.
In Perez’s view, a centralized open-source initiative could help educate engineers about good open-source practices and help steer the direction of crucial OSS projects. Embracing an open-source culture also leads to more disclosed vulnerabilities and could help keep up-to-date with the latest releases and versions. “Having someone that represents OSS governance and OSS as a whole could be another helpful check-and-balance,” he says.
Benefits of Investing in Open-Source Leadership
But what are the exact benefits an OSPO could bring to an enterprise? Here are some responsibilities that an open-source program could take to improve operations on multiple fronts.
Verify open-source licenses. There are countless open-source licenses, such as The Apache License, GNU General Public License (GPL), Berkeley Software Distribution (BSD), and many more. But some are more restrictive than others. Per Perez, this is where an open-source program office could help verify proper license usage and confirm there are no risks or restrictions with its use in commercial software.
Educate developers on best OSS practices. In 2023, top open source threats include things like known vulnerabilities, compromised legitimate packages, name confusion attacks, unmaintained or outdated software, and other concerns. To mitigate these risks, it’s important to educate developers on open-source security best practices, says Perez. This includes running vulnerability scans, understanding the Open Web Application Security Project (OWASP) top ten, and learning basic security knowledge. Knowledge sharing here could reduce security risks and help maintain a safer OSS footprint.
Become more influential in the open-source community. Especially for large companies, having a role in maintaining core open-source projects is becoming a strategic focal point. This can help steer industry-wide change and positively contribute back to the community. In Perez’s view, an open-source program office could help guide what technologies to contribute or invest in.
Oversee management of open source. Overseeing the acquisition of new tooling might fall under the role of an open-source program, but Perez cautions against enforcing tools from the top down. Instead, an internal open-source group could recommend certain packages and centralize policies. Another area of focus could be the continual updating and patching of open-source projects the company relies upon.
Innersourcing projects. Certain projects might be developed behind closed doors depending on how regulated of an environment the company is working in. Yet, these projects can still be crafted using OSS best practices to encourage company-wide collaboration. An open-source program office could help drive those projects and promote contributions around new internal tools.
“Better use of open source is better use of technology,” says Perez. The above roles could mitigate OSS risks while steering helping organizations toward the latest innovative technologies. And a dedicated open-source group could help solve key challenges facing company-wide open-source adoption. (The aforementioned OpenLogic report found that some top challenges regarding open source include maintaining security policies or compliance, lack of skills, proficiency, or experience, keeping up with updates and patches, and lack of low-level technical support.)
Tips on Starting an Open Source Initiative
So, what are some first steps in kickstarting an open-source initiative? Perez recommends first formalizing some of the work you’re already doing and documenting existing processes. You’ll also likely need to sync with legal teams to handle the license side of things and convince the leadership of the benefits.
It’s good to note that it’s not about open-sourcing everything — instead, engaging in a strategy to govern the open-source you consume and maintain. An OSPO can oversee placing open-source around your commercial software, too. “Open core” offerings, like libraries, plugins, or SDKs (software development kits), can increase stickiness and are common gateways to growing a developer community.
There’s no question that the use of OSS will continue to grow, and we’ll see more initiatives emerge around open source and innersourcing projects, predicts Perez. For more knowledge about OSPOs and open-source initiatives, a helpful resource is the TODO group, which is a Linux Foundation community that shares knowledge on practices, tools, and creating and managing OSPOs.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: