A walk through the OSPO Five-Stage Model

Transcript

1. A Walk through the OSPO Five-stage Model Open Source Lisbon

   | October 12 Ana Jiménez Santamaría @anajsana95

2. > Formerly at Bitergia Spent +3 years experience helping organizations

   in their InnerSource and Open Source metrics journey > OSPO PM at TODO Group of practitioners advocating for #OSPO education and adoption across organizations worldwide through networking, training, research, guides, tools and more > MSc in Data Science > Involved in other OS Communities CHAOSS, OpenChain, TODO, InnerSource Commons, DevRel Collective, DevRel Spain

3. Ana Jiménez | @anajsana95 What are the potential risks for

   the open source ecosystem if organizations do open source incorrectly?

4. Ana Jiménez | @anajsana95 What are the potential risks for

   the open source ecosystem if organizations do open source incorrectly? What is the cost of doing business for organizations if they do open source incorrectly?

5. of popular projects contain known vulnerabilities 1 of non-popular projects

   contain known vulnerabilities 1 29% 6.5% 1,2 Sonatype, 2020 and 2021 State of the Software Supply Chain Not all parts are created equal 90% 10% of a modern application’s code base is open source2 custom code

6. 90% of IT leaders are using enterprise open source today

   (RedHat) 91% of Commercial Applications Contain Outdated or Abandoned Open Source Components (Synopsis) Organizations not being conscious of open source nowadays Ana Jiménez | @anajsana95

7. (CISO) Chief Information Security Officer Role within an organization responsible

   for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

8. // Open Source Program Office (OSPO) https://github.com/todogroup/ospodefinition.org Ana Jiménez |

   @anajsana95

9. Ana Jiménez | @anajsana95 ADOPTING A STRATEGIC POSTURE AROUND OPEN

   SOURCE IS NO LONGER OPTIONAL

10. OSPO Responsibilities 📘 Develop and Execute Open Source Strategy 🧭

    Eliminate Friction from Using and Contributing to Open Source 🖥 Manage Open Source IT Infrastructure 📚 Give Advice on Open Source 🫶 Grow and Retain Open Source Talent Inside the Organization 🤝 Implement InnerSource Practices ⏱ Track Performance Metrics 🤝 Collaborate with Open Source Organizations 📈 Prioritize and Drive Open Source Upstream Development 📝 Establish and Improve Open Source Policies and Processes 🔍 Oversee Open Source Compliance 📒 Support Corporate Development Activities Ana Jiménez | @anajsana95

11. // Frequent Questions 🤝 Does an OSPO fit for my

    organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95

12. // Frequent Questions 🤝 Does an OSPO fit for my

    organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95

13. Ana Jiménez | @anajsana95 OSPOs can take many flavors

14. None

15. landscape.todogroup.org

16. Ana Jiménez | @anajsana95 Which OSPO story can you relate

    with? 🚀 Growing OSPO Seen as critical asset in the organization There is a continuous evolution 🔒 Locked OSPO Not seen as a critical asset No/ low decision power: Either they perished or are just maintained Some Successful stories can be found at: • OSPOlogy • OSPO Use cases

17. Ana Jiménez | @anajsana95 Case Study: Oficinas de Software Libre

    (Open Source /FOSS Offices) in Spain https://www.uco.es/aulasoftwarelibre/directorio-de-oficinas-de-software-lib re/

18. Ana Jiménez | @anajsana95 Approach: • Top-down AND bottom up

    • Infuse open source understanding to all parties • Build a matrix of experts and act as the linchpin // OSPOs are nurtured from multiple angles Either where the need came from, make sure to build strong communication channels.

19. Ana Jiménez | @anajsana95

20. Open source is the life-blood for many of the small

    businesses represented in this study. OSPOs continue to be seen as extremely or very critical to the success engineering or product teams. However, respondents at organizations with less than 50 employees are twice as likely to believe the efforts are extremely critical as compared to those at organizations with 1,000 or more employees https://github.com/todogroup/osposurvey Ana Jiménez | @anajsana95

21. https://github.com/todogroup/osposurvey Ana Jiménez | @anajsana95

22. // Frequent Questions 🤝 Does an OSPO fit for my

    organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95
23. None

24. @anajsana95 // @todogroup // OSPO Characteristics

25. // Frequent Questions 🤝 Does an OSPO fit for my

    organization? 🧩 When is the best time to start an OSPO? 🚀 How can my organization pave the path to build an OSPOs? Ana Jiménez | @anajsana95

26. OSPO Responsibilities 📘 Develop and Execute Open Source Strategy 🧭

    Eliminate Friction from Using and Contributing to Open Source 🖥 Manage Open Source IT Infrastructure 📚 Give Advice on Open Source 🫶 Grow and Retain Open Source Talent Inside the Organization 🤝 Implement InnerSource Practices ⏱ Track Performance Metrics 🤝 Collaborate with Open Source Organizations 📈 Prioritize and Drive Open Source Upstream Development 📝 Establish and Improve Open Source Policies and Processes 🔍 Oversee Open Source Compliance 📒 Support Corporate Development Activities Ana Jiménez | @anajsana95

27. @anajsana95 // @todogroup

28. @anajsana95 // @todogroup Adapt and find your way

29. Legal-Driven Stage Organizations in Stage 1 recognize that OSS is

    a key part of their business and technology strategy. They understand that the security practices of OSS projects differ from those of proprietary software companies. Organizations must identify their legal and security risks. Risk mitigation strategies include: • Careful licensing • Developer education • Inventory-taking. Ana Jiménez | @anajsana95

30. Legal-Driven Stage Some useful resources to get started Training: •

    Secure software fundamentals • Implementing open source license compliance management • OS licenses and compliance basis - OSPO 101 module 5 Playbooks /practical implementation • Implement ISO/IEC 5230 specification through the lens of an OSPO • Open Source Policy Examples and Templates Tooling: - SCA tooling - Metrics - Project quality - Documentation Projects Ana Jiménez | @anajsana95

31. Community-Driven Stage (part 1) OSPOs in Stage 2 create internal

    mechanisms such as ambassadors who promote usage of approved OSS products, educational programs on good OSS hygiene, technical training or skill building and certification in OSS, etc. With these initiatives, an organization can grow its use of OSS and amplify the message that OSS is not only important but desirable and preferable to proprietary software products within the organization Ana Jiménez | @anajsana95

32. Community-Driven Stage (part 1) Ana Jiménez | @anajsana95 Some useful

    resources to get started Practical implementation • InnerSource Patterns: implement innersource principles to : ◦ Help nurturing the open source culture ◦ Ease internal communication • Tooling - Documentation Projects

33. Community-Driven Stage (part 2) As they advance in Stage 2,

    organizations begin incentivizing their developers to work on OSS projects critical to their operations, to the degree that developers become highly active contributors or primary maintainers. • OSPOs begin to streamline and optimize open outbound source contributions for their developers. • OSPOs create and launch open source projects establish broad credibility in the open source community Ana Jiménez | @anajsana95

34. Community-Driven Stage (part 2) Ana Jiménez | @anajsana95 Some useful

    resources to get started Training: • OSPO 101 module 7 • OSPO module 4 - Effective OS Development & Participation • WIP: OSPO 101 extension modules!! Practical implementation • Outbound Open Source Guide (OSPO/TODO Guide) • OSPO Metrics working group • Defining OSPO policies (OSPO 101 modules) Tooling: • Metrics

35. Engagement-Driven Stage In Stage 3, organizational leaders support incubating and

    launching open source projects into the public sphere because they understand how these projects benefit their organization. These projects tend to offer better performance and crucial capabilities critical to its technology infrastructure. OSPO develops internal processes, playbooks, checklists, tooling, and other mechanisms to vet, organize, and operate open source projects and to prepare and coach their leaders. Ana Jiménez | @anajsana95

36. Engagement-Driven Stage Ana Jiménez | @anajsana95 Some useful resources to

    get started Guides: • Participating in open source communities Practical implementation • Open Source Policy Examples and Templates • Outbound Open Source Guide (OSPO/TODO Guide) • Community health Metrics Standards - OSPO WG Tooling: - Metrics - Documentation Projects

37. Leadership-Driven Stage The OSPO becomes a strategic partner for technology

    decisions, helping to guide choices and shape long-term commitments to projects. Three types of strategic guidance: • Advises the CTO and technology leadership on open source technologies to adopt / remove from the organization’s technology stack. • Take the lead on benchmarking what constitutes an acceptable OSS project • Help organizations understand and navigate project governance Ana Jiménez | @anajsana95

38. Leadership-Driven Stage Ana Jiménez | @anajsana95 Some useful resources to

    get started Guides • https://todogroup.org/guides/bui lding-leadership/ Practical implementation • Outbound Open Source Guide (OSPO/TODO Guide) • OSPO Metrics working group Tooling: • Metrics

39. When starting an OSPO… 🚀 Have clear goals 🧭 Find

    your way 💚 Collaborate @anajsana95 // @todogroup

40. // Learn more Communication channels: GitHub, Slack, Twitter, LinkedIn TODO

    Guides & Resources: https://todogroup.org/guides/

41. Thank You!