Defining the limits of Risk

Transcript

1. Software
   Development
   Analytics
   Defining the Limits
   of Risk
   OSS Summit EU 2022
   Daniel Izquierdo Cortázar
   

   View Slide

2. CEO @ Bitergia
   Governing Board @ CHAOSS
   VP @ InnerSource Commons Foundation
   https://www.linkedin.com/in/dicortazar/
   [email protected]
   @dizquierdo
   

   View Slide

3. “[...] Risk involves uncertainty about the
   effects/implications of an activity with
   respect to something that humans value
   [...]”
   Wikipedia dixit
   

   View Slide

4. View Slide

5. All the source code in your company
   

   View Slide

6. All the source code in your company
   In house
   

   View Slide

7. All the source code in your company
   Outsourced
   In house
   

   View Slide

8. All the source code in your company
   Outsourced
   In house
   OSS Commercial
   

   View Slide

9. All the source code in your company
   Outsourced
   In house
   OSS Commercial
   OSS / No
   support
   

   View Slide

10. Corporation
    Key
    Provider
    Yet
    Another
    Key
    Provider
    Provider
    Key
    Provider
    In House
    Outsourced
    OSS Commercially supported
    Adopted OSS
    

    View Slide

11. Assumption: You want to have a healthy providers ecosystem
    

    View Slide

12. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    How do you take care of risk?
    

    View Slide

13. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    code quality,
    security scanners,
    internal process,
    and others
    

    View Slide

14. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    financial status,
    source code (if provided),
    people involved and expertise,
    NDA in place,
    code security rules,
    …
    

    View Slide

15. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    Outsourced
    +
    checking the code,
    compliance
    

    View Slide

16. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    checking the code,
    compliance,
    closer to in house development?
    

    View Slide

17. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    But there are missing points:
    How can I check the financial stability of
    these projects?
    What is their history? Can I talk to
    someone there?
    Who are they?
    

    View Slide

18. Corporations have several ways to
    interact with OSS communities.
    TODO bring here the picture of the ways
    companies interact and measure risk
    

    View Slide

19. Assumption: You want to have a healthy
    providers ecosystem
    

    View Slide

20. OSS is part of any corporation ecosystem
    Indeed, a big percentage of the existing
    source code is third party source code,
    either proprietary or OSS.
    

    View Slide

21. How are we taking care of the risks
    associated to a provider?
    Finances status, legal situation, even
    perhaps exclusive provider in certain
    markets, and others
    Then we trust the provider, even with
    cases where source code is not even
    provided as for example in the
    automotive industry with a lot of secrecy
    

    View Slide

22. All the source code in your company
    Outsourced
    In house
    OSS Commercial
    OSS / No
    support
    

    View Slide

23. All the source code in your company
    Outsourced
    In house
    OSS Commercial
    OSS / No
    support
    

    View Slide

24. What do you do with the OSS code you
    use but that is not under any commercial
    relationship, or when there is not a
    company behind it?
    

    View Slide

25. What do you do with the OSS code you
    use but that is not under any commercial
    relationship, or when there is not a
    company behind it?
    You take it, create an internal product,
    and after certain risk analysis, you
    move forward and this is part of thee
    official and internal tech. stack.
    

    View Slide

26. Open Source World Within the walls of the Organization
    

    View Slide

27. Open Source World Within the walls of the Organization
    

    View Slide

28. Open Source World Within the walls of the Organization
    

    View Slide

29. Open Source World Within the walls of the Organization
    

    View Slide

30. Open Source World Within the walls of the Organization
    These are great, excellent, and
    lovely internal products used
    across the organization
    

    View Slide

31. Open Source World Within the walls of the Organization
    They are not that great
    anymore…
    

    View Slide

32. SupplyChainCon Track, welcome!
    

    View Slide

33. What are the areas of analysis? Reasons
    to adopt the technology and how to limit
    the risk of that adoption.
    Source code security analysis, continous
    checks, open soruce compliance, etc.
    

    View Slide

34. You are treating the adopted OSS technology just as a risk
    Have you considered working with those OSS communities as providers?
    

    View Slide

35. Countering Build Threats
    Source Code Level Problems
    Dependency Threats
    

    View Slide

36. Countering Build Threats
    Source Code Level Problems
    Dependency Threats
    Countering Community
    Threats
    

    View Slide

37. Can I define Community Threats as…
    Poorly maintained, lack of effort or time
    Project driven by just one company (or
    the other way around)
    Lack of engagement or high company
    turnover
    Lively community
    

    View Slide

38. Money?
    How can I have healthier
    providers? And even more,
    be aware of this?
    

    View Slide

39. Money?
    

    View Slide

40. Money?
    

    View Slide

41. Indeed, how can we measure risk of a
    provider that does not exist and that is no
    providing commercial services?
    Beyond the usual analysis of source code
    or compliance, have a look at other areas:
    activity, community, and process.
    And work with this community as this
    were another partner. It happens this
    should be done in a differnt way.
    

    View Slide

42. Some hints:
    Risk analysis - community sustainability,
    community health
    Actions to take - help those communities
    to be more sustainable, sit down at the
    table with them.
    Just pouring money to them is not the
    only solution, they may need marketing,
    or engineering cycles
    

    View Slide

43. Some hints:
    Consider looking at the project directly,
    there are a lot of them not covered under
    the umbrella of any OSSFoundation
    

    View Slide

44. View Slide

45. Community Health Analytics for Open Source Software
    https://chaoss.community
    

    View Slide

46. OSS Tools to
    Analyze (OSS)
    Software
    Development
    Projects
    https://chaoss.github.io/grimoirelab/
    Raw data
    Identities
    DB
    Enriched
    data
    Incremental datasets
    Historical data
    Focus on data, not on mining processes
    OSS metrics lake
    Metrics ready for consumption
    30+ Data sources
    

    View Slide

47. SBoM
    (with git/github info)
    Community
    Threats / Metrics
    

    View Slide

48. https://github.com/chaoss/wg-risk/tree/main/focus-areas/business-risk
    

    View Slide

49. The general feeling is not to choose a
    particular OSS project if this is risky
    I say, grow with your providers
    

    View Slide

50. Software
    Development
    Analytics
    Defining the Limits
    of Risk
    OSS Summit EU 2022
    Daniel Izquierdo Cortázar
    

    View Slide