Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defining the limits of Risk

Defining the limits of Risk

Bitergia
PRO

October 05, 2022
Tweet

More Decks by Bitergia

Other Decks in Technology

Transcript

  1. Software Development Analytics Defining the Limits of Risk OSS Summit

    EU 2022 Daniel Izquierdo Cortázar
  2. CEO @ Bitergia Governing Board @ CHAOSS VP @ InnerSource

    Commons Foundation https://www.linkedin.com/in/dicortazar/ [email protected] @dizquierdo
  3. “[...] Risk involves uncertainty about the effects/implications of an activity

    with respect to something that humans value [...]” Wikipedia dixit
  4. None
  5. All the source code in your company

  6. All the source code in your company In house

  7. All the source code in your company Outsourced In house

  8. All the source code in your company Outsourced In house

    OSS Commercial
  9. All the source code in your company Outsourced In house

    OSS Commercial OSS / No support
  10. Corporation Key Provider Yet Another Key Provider Provider Key Provider

    In House Outsourced OSS Commercially supported Adopted OSS
  11. Assumption: You want to have a healthy providers ecosystem

  12. In House Outsourced OSS Commercial Support OSS with no Support

    How do you take care of risk?
  13. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… code quality, security scanners, internal process, and others
  14. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… financial status, source code (if provided), people involved and expertise, NDA in place, code security rules, …
  15. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… Outsourced + checking the code, compliance
  16. In House Outsourced OSS Commercial Support OSS with no Support

    You control risk by checking the… checking the code, compliance, closer to in house development?
  17. In House Outsourced OSS Commercial Support OSS with no Support

    But there are missing points: How can I check the financial stability of these projects? What is their history? Can I talk to someone there? Who are they?
  18. Corporations have several ways to interact with OSS communities. TODO

    bring here the picture of the ways companies interact and measure risk
  19. Assumption: You want to have a healthy providers ecosystem

  20. OSS is part of any corporation ecosystem Indeed, a big

    percentage of the existing source code is third party source code, either proprietary or OSS.
  21. How are we taking care of the risks associated to

    a provider? Finances status, legal situation, even perhaps exclusive provider in certain markets, and others Then we trust the provider, even with cases where source code is not even provided as for example in the automotive industry with a lot of secrecy
  22. All the source code in your company Outsourced In house

    OSS Commercial OSS / No support
  23. All the source code in your company Outsourced In house

    OSS Commercial OSS / No support
  24. What do you do with the OSS code you use

    but that is not under any commercial relationship, or when there is not a company behind it?
  25. What do you do with the OSS code you use

    but that is not under any commercial relationship, or when there is not a company behind it? You take it, create an internal product, and after certain risk analysis, you move forward and this is part of thee official and internal tech. stack.
  26. Open Source World Within the walls of the Organization

  27. Open Source World Within the walls of the Organization

  28. Open Source World Within the walls of the Organization

  29. Open Source World Within the walls of the Organization

  30. Open Source World Within the walls of the Organization These

    are great, excellent, and lovely internal products used across the organization
  31. Open Source World Within the walls of the Organization They

    are not that great anymore…
  32. SupplyChainCon Track, welcome!

  33. What are the areas of analysis? Reasons to adopt the

    technology and how to limit the risk of that adoption. Source code security analysis, continous checks, open soruce compliance, etc.
  34. You are treating the adopted OSS technology just as a

    risk Have you considered working with those OSS communities as providers?
  35. Countering Build Threats Source Code Level Problems Dependency Threats

  36. Countering Build Threats Source Code Level Problems Dependency Threats Countering

    Community Threats
  37. Can I define Community Threats as… Poorly maintained, lack of

    effort or time Project driven by just one company (or the other way around) Lack of engagement or high company turnover Lively community
  38. Money? How can I have healthier providers? And even more,

    be aware of this?
  39. Money?

  40. Money?

  41. Indeed, how can we measure risk of a provider that

    does not exist and that is no providing commercial services? Beyond the usual analysis of source code or compliance, have a look at other areas: activity, community, and process. And work with this community as this were another partner. It happens this should be done in a differnt way.
  42. Some hints: Risk analysis - community sustainability, community health Actions

    to take - help those communities to be more sustainable, sit down at the table with them. Just pouring money to them is not the only solution, they may need marketing, or engineering cycles
  43. Some hints: Consider looking at the project directly, there are

    a lot of them not covered under the umbrella of any OSSFoundation
  44. None
  45. Community Health Analytics for Open Source Software https://chaoss.community

  46. OSS Tools to Analyze (OSS) Software Development Projects https://chaoss.github.io/grimoirelab/ Raw

    data Identities DB Enriched data Incremental datasets Historical data Focus on data, not on mining processes OSS metrics lake Metrics ready for consumption 30+ Data sources
  47. SBoM (with git/github info) Community Threats / Metrics

  48. https://github.com/chaoss/wg-risk/tree/main/focus-areas/business-risk

  49. The general feeling is not to choose a particular OSS

    project if this is risky I say, grow with your providers
  50. Software Development Analytics Defining the Limits of Risk OSS Summit

    EU 2022 Daniel Izquierdo Cortázar