Slide 1

Slide 1 text

Software Development Analytics Defining the Limits of Risk OSS Summit EU 2022 Daniel Izquierdo Cortázar

Slide 2

Slide 2 text

CEO @ Bitergia Governing Board @ CHAOSS VP @ InnerSource Commons Foundation https://www.linkedin.com/in/dicortazar/ [email protected] @dizquierdo

Slide 3

Slide 3 text

“[...] Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value [...]” Wikipedia dixit

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

All the source code in your company

Slide 6

Slide 6 text

All the source code in your company In house

Slide 7

Slide 7 text

All the source code in your company Outsourced In house

Slide 8

Slide 8 text

All the source code in your company Outsourced In house OSS Commercial

Slide 9

Slide 9 text

All the source code in your company Outsourced In house OSS Commercial OSS / No support

Slide 10

Slide 10 text

Corporation Key Provider Yet Another Key Provider Provider Key Provider In House Outsourced OSS Commercially supported Adopted OSS

Slide 11

Slide 11 text

Assumption: You want to have a healthy providers ecosystem

Slide 12

Slide 12 text

In House Outsourced OSS Commercial Support OSS with no Support How do you take care of risk?

Slide 13

Slide 13 text

In House Outsourced OSS Commercial Support OSS with no Support You control risk by checking the… code quality, security scanners, internal process, and others

Slide 14

Slide 14 text

In House Outsourced OSS Commercial Support OSS with no Support You control risk by checking the… financial status, source code (if provided), people involved and expertise, NDA in place, code security rules, …

Slide 15

Slide 15 text

In House Outsourced OSS Commercial Support OSS with no Support You control risk by checking the… Outsourced + checking the code, compliance

Slide 16

Slide 16 text

In House Outsourced OSS Commercial Support OSS with no Support You control risk by checking the… checking the code, compliance, closer to in house development?

Slide 17

Slide 17 text

In House Outsourced OSS Commercial Support OSS with no Support But there are missing points: How can I check the financial stability of these projects? What is their history? Can I talk to someone there? Who are they?

Slide 18

Slide 18 text

Corporations have several ways to interact with OSS communities. TODO bring here the picture of the ways companies interact and measure risk

Slide 19

Slide 19 text

Assumption: You want to have a healthy providers ecosystem

Slide 20

Slide 20 text

OSS is part of any corporation ecosystem Indeed, a big percentage of the existing source code is third party source code, either proprietary or OSS.

Slide 21

Slide 21 text

How are we taking care of the risks associated to a provider? Finances status, legal situation, even perhaps exclusive provider in certain markets, and others Then we trust the provider, even with cases where source code is not even provided as for example in the automotive industry with a lot of secrecy

Slide 22

Slide 22 text

All the source code in your company Outsourced In house OSS Commercial OSS / No support

Slide 23

Slide 23 text

All the source code in your company Outsourced In house OSS Commercial OSS / No support

Slide 24

Slide 24 text

What do you do with the OSS code you use but that is not under any commercial relationship, or when there is not a company behind it?

Slide 25

Slide 25 text

What do you do with the OSS code you use but that is not under any commercial relationship, or when there is not a company behind it? You take it, create an internal product, and after certain risk analysis, you move forward and this is part of thee official and internal tech. stack.

Slide 26

Slide 26 text

Open Source World Within the walls of the Organization

Slide 27

Slide 27 text

Open Source World Within the walls of the Organization

Slide 28

Slide 28 text

Open Source World Within the walls of the Organization

Slide 29

Slide 29 text

Open Source World Within the walls of the Organization

Slide 30

Slide 30 text

Open Source World Within the walls of the Organization These are great, excellent, and lovely internal products used across the organization

Slide 31

Slide 31 text

Open Source World Within the walls of the Organization They are not that great anymore…

Slide 32

Slide 32 text

SupplyChainCon Track, welcome!

Slide 33

Slide 33 text

What are the areas of analysis? Reasons to adopt the technology and how to limit the risk of that adoption. Source code security analysis, continous checks, open soruce compliance, etc.

Slide 34

Slide 34 text

You are treating the adopted OSS technology just as a risk Have you considered working with those OSS communities as providers?

Slide 35

Slide 35 text

Countering Build Threats Source Code Level Problems Dependency Threats

Slide 36

Slide 36 text

Countering Build Threats Source Code Level Problems Dependency Threats Countering Community Threats

Slide 37

Slide 37 text

Can I define Community Threats as… Poorly maintained, lack of effort or time Project driven by just one company (or the other way around) Lack of engagement or high company turnover Lively community

Slide 38

Slide 38 text

Money? How can I have healthier providers? And even more, be aware of this?

Slide 39

Slide 39 text

Money?

Slide 40

Slide 40 text

Money?

Slide 41

Slide 41 text

Indeed, how can we measure risk of a provider that does not exist and that is no providing commercial services? Beyond the usual analysis of source code or compliance, have a look at other areas: activity, community, and process. And work with this community as this were another partner. It happens this should be done in a differnt way.

Slide 42

Slide 42 text

Some hints: Risk analysis - community sustainability, community health Actions to take - help those communities to be more sustainable, sit down at the table with them. Just pouring money to them is not the only solution, they may need marketing, or engineering cycles

Slide 43

Slide 43 text

Some hints: Consider looking at the project directly, there are a lot of them not covered under the umbrella of any OSSFoundation

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Community Health Analytics for Open Source Software https://chaoss.community

Slide 46

Slide 46 text

OSS Tools to Analyze (OSS) Software Development Projects https://chaoss.github.io/grimoirelab/ Raw data Identities DB Enriched data Incremental datasets Historical data Focus on data, not on mining processes OSS metrics lake Metrics ready for consumption 30+ Data sources

Slide 47

Slide 47 text

SBoM (with git/github info) Community Threats / Metrics

Slide 48

Slide 48 text

https://github.com/chaoss/wg-risk/tree/main/focus-areas/business-risk

Slide 49

Slide 49 text

The general feeling is not to choose a particular OSS project if this is risky I say, grow with your providers

Slide 50

Slide 50 text

Software Development Analytics Defining the Limits of Risk OSS Summit EU 2022 Daniel Izquierdo Cortázar