$30 off During Our Annual Pro Sale. View Details »

Defining the limits of Risk

Defining the limits of Risk

Bitergia
PRO

October 05, 2022
Tweet

More Decks by Bitergia

Other Decks in Technology

Transcript

  1. Software
    Development
    Analytics
    Defining the Limits
    of Risk
    OSS Summit EU 2022
    Daniel Izquierdo Cortázar

    View Slide

  2. CEO @ Bitergia
    Governing Board @ CHAOSS
    VP @ InnerSource Commons Foundation
    https://www.linkedin.com/in/dicortazar/
    [email protected]
    @dizquierdo

    View Slide

  3. “[...] Risk involves uncertainty about the
    effects/implications of an activity with
    respect to something that humans value
    [...]”
    Wikipedia dixit

    View Slide

  4. View Slide

  5. All the source code in your company

    View Slide

  6. All the source code in your company
    In house

    View Slide

  7. All the source code in your company
    Outsourced
    In house

    View Slide

  8. All the source code in your company
    Outsourced
    In house
    OSS Commercial

    View Slide

  9. All the source code in your company
    Outsourced
    In house
    OSS Commercial
    OSS / No
    support

    View Slide

  10. Corporation
    Key
    Provider
    Yet
    Another
    Key
    Provider
    Provider
    Key
    Provider
    In House
    Outsourced
    OSS Commercially supported
    Adopted OSS

    View Slide

  11. Assumption: You want to have a healthy providers ecosystem

    View Slide

  12. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    How do you take care of risk?

    View Slide

  13. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    code quality,
    security scanners,
    internal process,
    and others

    View Slide

  14. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    financial status,
    source code (if provided),
    people involved and expertise,
    NDA in place,
    code security rules,

    View Slide

  15. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    Outsourced
    +
    checking the code,
    compliance

    View Slide

  16. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    You control risk by checking the…
    checking the code,
    compliance,
    closer to in house development?

    View Slide

  17. In House
    Outsourced
    OSS Commercial Support
    OSS with no Support
    But there are missing points:
    How can I check the financial stability of
    these projects?
    What is their history? Can I talk to
    someone there?
    Who are they?

    View Slide

  18. Corporations have several ways to
    interact with OSS communities.
    TODO bring here the picture of the ways
    companies interact and measure risk

    View Slide

  19. Assumption: You want to have a healthy
    providers ecosystem

    View Slide

  20. OSS is part of any corporation ecosystem
    Indeed, a big percentage of the existing
    source code is third party source code,
    either proprietary or OSS.

    View Slide

  21. How are we taking care of the risks
    associated to a provider?
    Finances status, legal situation, even
    perhaps exclusive provider in certain
    markets, and others
    Then we trust the provider, even with
    cases where source code is not even
    provided as for example in the
    automotive industry with a lot of secrecy

    View Slide

  22. All the source code in your company
    Outsourced
    In house
    OSS Commercial
    OSS / No
    support

    View Slide

  23. All the source code in your company
    Outsourced
    In house
    OSS Commercial
    OSS / No
    support

    View Slide

  24. What do you do with the OSS code you
    use but that is not under any commercial
    relationship, or when there is not a
    company behind it?

    View Slide

  25. What do you do with the OSS code you
    use but that is not under any commercial
    relationship, or when there is not a
    company behind it?
    You take it, create an internal product,
    and after certain risk analysis, you
    move forward and this is part of thee
    official and internal tech. stack.

    View Slide

  26. Open Source World Within the walls of the Organization

    View Slide

  27. Open Source World Within the walls of the Organization

    View Slide

  28. Open Source World Within the walls of the Organization

    View Slide

  29. Open Source World Within the walls of the Organization

    View Slide

  30. Open Source World Within the walls of the Organization
    These are great, excellent, and
    lovely internal products used
    across the organization

    View Slide

  31. Open Source World Within the walls of the Organization
    They are not that great
    anymore…

    View Slide

  32. SupplyChainCon Track, welcome!

    View Slide

  33. What are the areas of analysis? Reasons
    to adopt the technology and how to limit
    the risk of that adoption.
    Source code security analysis, continous
    checks, open soruce compliance, etc.

    View Slide

  34. You are treating the adopted OSS technology just as a risk
    Have you considered working with those OSS communities as providers?

    View Slide

  35. Countering Build Threats
    Source Code Level Problems
    Dependency Threats

    View Slide

  36. Countering Build Threats
    Source Code Level Problems
    Dependency Threats
    Countering Community
    Threats

    View Slide

  37. Can I define Community Threats as…
    Poorly maintained, lack of effort or time
    Project driven by just one company (or
    the other way around)
    Lack of engagement or high company
    turnover
    Lively community

    View Slide

  38. Money?
    How can I have healthier
    providers? And even more,
    be aware of this?

    View Slide

  39. Money?

    View Slide

  40. Money?

    View Slide

  41. Indeed, how can we measure risk of a
    provider that does not exist and that is no
    providing commercial services?
    Beyond the usual analysis of source code
    or compliance, have a look at other areas:
    activity, community, and process.
    And work with this community as this
    were another partner. It happens this
    should be done in a differnt way.

    View Slide

  42. Some hints:
    Risk analysis - community sustainability,
    community health
    Actions to take - help those communities
    to be more sustainable, sit down at the
    table with them.
    Just pouring money to them is not the
    only solution, they may need marketing,
    or engineering cycles

    View Slide

  43. Some hints:
    Consider looking at the project directly,
    there are a lot of them not covered under
    the umbrella of any OSSFoundation

    View Slide

  44. View Slide

  45. Community Health Analytics for Open Source Software
    https://chaoss.community

    View Slide

  46. OSS Tools to
    Analyze (OSS)
    Software
    Development
    Projects
    https://chaoss.github.io/grimoirelab/
    Raw data
    Identities
    DB
    Enriched
    data
    Incremental datasets
    Historical data
    Focus on data, not on mining processes
    OSS metrics lake
    Metrics ready for consumption
    30+ Data sources

    View Slide

  47. SBoM
    (with git/github info)
    Community
    Threats / Metrics

    View Slide

  48. https://github.com/chaoss/wg-risk/tree/main/focus-areas/business-risk

    View Slide

  49. The general feeling is not to choose a
    particular OSS project if this is risky
    I say, grow with your providers

    View Slide

  50. Software
    Development
    Analytics
    Defining the Limits
    of Risk
    OSS Summit EU 2022
    Daniel Izquierdo Cortázar

    View Slide