Software
Development
Analytics
Defining the Limits
of Risk
OSS Summit EU 2022
Daniel Izquierdo Cortázar
Slide 2
Slide 2 text
CEO @ Bitergia
Governing Board @ CHAOSS
VP @ InnerSource Commons Foundation
https://www.linkedin.com/in/dicortazar/
dizquierdo@bitergia.com
@dizquierdo
Slide 3
Slide 3 text
“[...] Risk involves uncertainty about the
effects/implications of an activity with
respect to something that humans value
[...]”
Wikipedia dixit
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
All the source code in your company
Slide 6
Slide 6 text
All the source code in your company
In house
Slide 7
Slide 7 text
All the source code in your company
Outsourced
In house
Slide 8
Slide 8 text
All the source code in your company
Outsourced
In house
OSS Commercial
Slide 9
Slide 9 text
All the source code in your company
Outsourced
In house
OSS Commercial
OSS / No
support
Slide 10
Slide 10 text
Corporation
Key
Provider
Yet
Another
Key
Provider
Provider
Key
Provider
In House
Outsourced
OSS Commercially supported
Adopted OSS
Slide 11
Slide 11 text
Assumption: You want to have a healthy providers ecosystem
Slide 12
Slide 12 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
How do you take care of risk?
Slide 13
Slide 13 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
You control risk by checking the…
code quality,
security scanners,
internal process,
and others
Slide 14
Slide 14 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
You control risk by checking the…
financial status,
source code (if provided),
people involved and expertise,
NDA in place,
code security rules,
…
Slide 15
Slide 15 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
You control risk by checking the…
Outsourced
+
checking the code,
compliance
Slide 16
Slide 16 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
You control risk by checking the…
checking the code,
compliance,
closer to in house development?
Slide 17
Slide 17 text
In House
Outsourced
OSS Commercial Support
OSS with no Support
But there are missing points:
How can I check the financial stability of
these projects?
What is their history? Can I talk to
someone there?
Who are they?
Slide 18
Slide 18 text
Corporations have several ways to
interact with OSS communities.
TODO bring here the picture of the ways
companies interact and measure risk
Slide 19
Slide 19 text
Assumption: You want to have a healthy
providers ecosystem
Slide 20
Slide 20 text
OSS is part of any corporation ecosystem
Indeed, a big percentage of the existing
source code is third party source code,
either proprietary or OSS.
Slide 21
Slide 21 text
How are we taking care of the risks
associated to a provider?
Finances status, legal situation, even
perhaps exclusive provider in certain
markets, and others
Then we trust the provider, even with
cases where source code is not even
provided as for example in the
automotive industry with a lot of secrecy
Slide 22
Slide 22 text
All the source code in your company
Outsourced
In house
OSS Commercial
OSS / No
support
Slide 23
Slide 23 text
All the source code in your company
Outsourced
In house
OSS Commercial
OSS / No
support
Slide 24
Slide 24 text
What do you do with the OSS code you
use but that is not under any commercial
relationship, or when there is not a
company behind it?
Slide 25
Slide 25 text
What do you do with the OSS code you
use but that is not under any commercial
relationship, or when there is not a
company behind it?
You take it, create an internal product,
and after certain risk analysis, you
move forward and this is part of thee
official and internal tech. stack.
Slide 26
Slide 26 text
Open Source World Within the walls of the Organization
Slide 27
Slide 27 text
Open Source World Within the walls of the Organization
Slide 28
Slide 28 text
Open Source World Within the walls of the Organization
Slide 29
Slide 29 text
Open Source World Within the walls of the Organization
Slide 30
Slide 30 text
Open Source World Within the walls of the Organization
These are great, excellent, and
lovely internal products used
across the organization
Slide 31
Slide 31 text
Open Source World Within the walls of the Organization
They are not that great
anymore…
Slide 32
Slide 32 text
SupplyChainCon Track, welcome!
Slide 33
Slide 33 text
What are the areas of analysis? Reasons
to adopt the technology and how to limit
the risk of that adoption.
Source code security analysis, continous
checks, open soruce compliance, etc.
Slide 34
Slide 34 text
You are treating the adopted OSS technology just as a risk
Have you considered working with those OSS communities as providers?
Can I define Community Threats as…
Poorly maintained, lack of effort or time
Project driven by just one company (or
the other way around)
Lack of engagement or high company
turnover
Lively community
Slide 38
Slide 38 text
Money?
How can I have healthier
providers? And even more,
be aware of this?
Slide 39
Slide 39 text
Money?
Slide 40
Slide 40 text
Money?
Slide 41
Slide 41 text
Indeed, how can we measure risk of a
provider that does not exist and that is no
providing commercial services?
Beyond the usual analysis of source code
or compliance, have a look at other areas:
activity, community, and process.
And work with this community as this
were another partner. It happens this
should be done in a differnt way.
Slide 42
Slide 42 text
Some hints:
Risk analysis - community sustainability,
community health
Actions to take - help those communities
to be more sustainable, sit down at the
table with them.
Just pouring money to them is not the
only solution, they may need marketing,
or engineering cycles
Slide 43
Slide 43 text
Some hints:
Consider looking at the project directly,
there are a lot of them not covered under
the umbrella of any OSSFoundation
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
Community Health Analytics for Open Source Software
https://chaoss.community
Slide 46
Slide 46 text
OSS Tools to
Analyze (OSS)
Software
Development
Projects
https://chaoss.github.io/grimoirelab/
Raw data
Identities
DB
Enriched
data
Incremental datasets
Historical data
Focus on data, not on mining processes
OSS metrics lake
Metrics ready for consumption
30+ Data sources
Slide 47
Slide 47 text
SBoM
(with git/github info)
Community
Threats / Metrics