ESTABLISHING AN ESTABLISHING AN PROGRAM OFFICE PROGRAM OFFICE October 2018 Lee Calcote calcotestudios.com/talks OPEN SOURCE OPEN SOURCE 

@lcalcote CREATING AN OSPO CREATING AN OSPO 

“There isn’t a one size fits all model. I can’t stand up in front of a crowd and say, ’this is how you should do it,‘” – , director of . Jeff McAffer Open Source Programs Office at Microsoft @lcalcote And neither am I... this is how you "might" do it. CREATING AN OSPO CREATING AN OSPO 

LEE CALCOTE LEE CALCOTE linkedin.com/in/leecalcote @lcalcote gingergeek.com [email protected] clouds, containers, functions, applications, and their management calcotestudios.com/talks github.com/leecalcote 

NOW AVAILABLE NOW AVAILABLE compliments of NGINX gingergeek.com 

WHY CREATE AN WHY CREATE AN OPEN SOURCE OPEN SOURCE PROGRAM OFFICE PROGRAM OFFICE? ? 

No content

That's great. 

That's great. But, why? 

The Philadelphia Open Source Conference aims to connect open source developers, leaders, technologists, and community leaders to collaborate on the latest in open source innovation. It’s an environment for cross-collaboration between developers, operators, architects, leaders and others who are driving the technology forward. That's great. But, why? 

PROMINENCE OF OPEN SOURCE PROMINENCE OF OPEN SOURCE @lcalcote all major areas of software innovation are happening in open source WORLD WORLD 

PROMINENCE OF OPEN SOURCE PROMINENCE OF OPEN SOURCE @lcalcote all major areas of software innovation are happening in open source SOFTWARE SOFTWARE WORLD WORLD 

PROMINENCE OF OPEN SOURCE PROMINENCE OF OPEN SOURCE @lcalcote all major areas of software innovation are happening in open source SOFTWARE SOFTWARE OPEN SOURCE OPEN SOURCE WORLD WORLD ™ 

PROMINENCE OF OPEN SOURCE PROMINENCE OF OPEN SOURCE @lcalcote all major areas of software innovation are happening in open source SOFTWARE SOFTWARE OPEN SOURCE OPEN SOURCE CLOUD CLOUD WORLD WORLD ™ 

TOP TOP BENEFITS BENEFITS 1. Awareness 2. Influence 3. Compliance 4. Development velocity @lcalcote 

TOP TOP BENEFITS BENEFITS 1. Awareness 2. Influence 3. Compliance 4. Development velocity @lcalcote Those without an OSPO want to attract talent. Those with an existing OSPO already have talent. 

OPEN SOURCE PROGRAM OPEN SOURCE PROGRAM OFFICE OFFICE STRATEGY STRATEGY 

Calcote's 5 C's @lcalcote { { } } to open source strategy... 

Calcote's 5 C's @lcalcote a well-rounded open source strategy incorporates these 5 C's ...include not only consuming open source software and complying with licensing, but also participating in community, giving and receiving contributions as well as actively assuaging the competitive nature of popular projects. { { } } to open source strategy... 

@lcalcote PATH TO MASTERING OPEN SOURCE PATH TO MASTERING OPEN SOURCE From bottom to top 

@lcalcote CONTINUAL INGESTING OF SOFTWARE FROM CONTINUAL INGESTING OF SOFTWARE FROM MULTIPLE SOURCES MULTIPLE SOURCES 

@lcalcote CONTINUAL INGESTING OF SOFTWARE FROM CONTINUAL INGESTING OF SOFTWARE FROM MULTIPLE SOURCES MULTIPLE SOURCES Today's software products average 60% to 80% open source in their code. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote Faster - speed up the delivery of software solutions. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote Faster - speed up the delivery of software solutions. Shared cost - less expensive than commercial software and in- house development. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote Faster - speed up the delivery of software solutions. Shared cost - less expensive than commercial software and in- house development. Flexibility - with source code in-hand, you can make needed modifications and licensing flexibility can allow changes to the code and deployment strategies without impediment. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote Faster - speed up the delivery of software solutions. Shared cost - less expensive than commercial software and in- house development. Flexibility - with source code in-hand, you can make needed modifications and licensing flexibility can allow changes to the code and deployment strategies without impediment. Innovation - often the leading edge of development comes from Open Source communities. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote Faster - speed up the delivery of software solutions. Shared cost - less expensive than commercial software and in- house development. Flexibility - with source code in-hand, you can make needed modifications and licensing flexibility can allow changes to the code and deployment strategies without impediment. Innovation - often the leading edge of development comes from Open Source communities. Influence - within a project; across related projects. 

CONSUMPTION CONSUMPTION WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? WHY DO COMPANIES USE OPEN SOURCE SOFTWARE? THERE ARE MANY COMPELLING REASONS FOR THERE ARE MANY COMPELLING REASONS FOR USING OPEN SOURCE: USING OPEN SOURCE: @lcalcote All of these reasons add up to a competitive advantage for organizations for using OSS. Faster - speed up the delivery of software solutions. Shared cost - less expensive than commercial software and in- house development. Flexibility - with source code in-hand, you can make needed modifications and licensing flexibility can allow changes to the code and deployment strategies without impediment. Innovation - often the leading edge of development comes from Open Source communities. Influence - within a project; across related projects. Talent - both attraction and retention. 

SOLID COMPLIANCE TOOLING AND SOLID COMPLIANCE TOOLING AND PROCESS IS KEY TO REDUCING RISK: PROCESS IS KEY TO REDUCING RISK: @lcalcote Why should I comply with licenses? COMPLIANCE COMPLIANCE Source: https://www.linuxfoundation.org/blog/2016/12/open-source-compliance-in-the-enterprise-benefits-and-risks/ Legal injunction that prevents shipping product. Customer service headaches. Loss of Intellectual Property. Engineering rework. Punitive damages. Embarrassment. 

COMPLIANCE GOALS COMPLIANCE GOALS 1. Shipped products and delivered services have secure and approved open source components and licenses. 2. Ensure license requirements are upheld. 1. Notices and attribution within and outside of code. 3. Vulnerabilities are tracked and remediations incorporated. 4. Redistribution of source code as appropriate. @lcalcote 2 C's deep. Quit here? 

COMPLIANCE GOALS COMPLIANCE GOALS 1. Shipped products and delivered services have secure and approved open source components and licenses. 2. Ensure license requirements are upheld. 1. Notices and attribution within and outside of code. 3. Vulnerabilities are tracked and remediations incorporated. 4. Redistribution of source code as appropriate. PROCESS GOALS PROCESS GOALS 1. Outline, agree to and educate on OSS review process. 2. Acknowledge on-prem and SaaS has different needs. 1. Hold each to same rigor and process, augmenting tooling as needed. 3. Empower engineering teams to self-service as much as possible. 4. Account for multi-source development model. 1. Enable and streamline continuous execution. @lcalcote 2 C's deep. Quit here? 

INNER SOURCING INNER SOURCING INNER SOURCING BEFORE OR AFTER OPEN SOURCING? INNER SOURCING BEFORE OR AFTER OPEN SOURCING? @lcalcote Is this step necessary for your organization? Establish open source-like culture within org. More efficient development; standardize tools. Overcoming organizational unit boundaries. Promote reuse and avoid not-invented here complex. More flexible utilization of developers. LEVERAGE THE BENEFITS OF OPEN SOURCE DEVELOPMENT LEVERAGE THE BENEFITS OF OPEN SOURCE DEVELOPMENT METHODOLOGIES INTERNALLY METHODOLOGIES INTERNALLY 

@lcalcote How do I give and receive? CONTRIBUTION CONTRIBUTION INBOUND AND OUTBOUND INBOUND AND OUTBOUND Need to: Qualify loss of IP. Have a Contribution License Agreement (CLA) As an individual or an organization? Provide contribution guidelines. Define project governance. 

COMMUNITY COMMUNITY PURPOSEFUL ENGAGEMENT KEY TO PURPOSEFUL ENGAGEMENT KEY TO GAINING MOMENTUM GAINING MOMENTUM Formulate—and communicate—your end-user and developer community support strategies and guidelines. Anyone in your company who wants to start or participate in an existing project should understand what a well-run community looks like. @lcalcote Support, governance, velocity are all measures used to decide whether to use open source software. 

COMPETE COMPETE Race Deeper Broader COMPLEMENT COMPLEMENT Integrations Ingestion Support, Interoperability @lcalcote Displace or complement? COMPETITION COMPETITION ASSUAGE COMPETITIVE NATURE? COMPETE OUTRIGHT? 

THE ROLE OF AN OSPO THE ROLE OF AN OSPO 

THE ROLE OF AN OSPO THE ROLE OF AN OSPO the center of the universe for a company’s open source operations and structure 

THE ROLE OF AN OSPO THE ROLE OF AN OSPO MUCH TO ENCOMPASS MUCH TO ENCOMPASS 

BUSINESS ALIGNMENT BUSINESS ALIGNMENT Without the right legal counsel, an open source program office can end up placing undue risk on company management. They can also stifle innovation, so strike the right balance. Align with product strategy. If your open source program office is not helping your product strategy, then it's probably a wasted effort. 

WHERE TO LAND ONE WHERE TO LAND ONE Engineering Legal Program Management Corp Dev Talent Acquisition Marketing IT Documentation Procurement @lcalcote 

WHERE TO LAND ONE WHERE TO LAND ONE Engineering Legal Program Management Corp Dev Talent Acquisition Marketing IT Documentation Procurement @lcalcote How centric to your business is OSS? 

CROSS-FUNCTIONAL RESPONSIBILITIES CROSS-FUNCTIONAL RESPONSIBILITIES Open Source Executive Committee Review and approve proposals to release IP / proprietary source code under OSS license. Review and approve proposals to use non-approved license types. Open Source Program Office (Review Board) Drive all activities surrounding the 5'Cs. Provide guidance on open source questions coming from company staff and engineers. Develop community involvement policy, process, procedures, and guidelines. Coordinate source code scans, audits and distribution of source code packages. Contribute to compliance and OS training. Contribute to creation of new tools to facilitate automation, discovery of OS in dev environment. Host and maintain the company’s open source websites. Engineering Operations Review requests for the use, modification, and distribution of open source. Handle compliance inquiries. Maintain records of compliance for any given open source software component are up to date. Review end-user documentation to ensure that appropriate copyright, attribution, and license notices are given to consumers. Perform audits all software included in a product, which involves the following tasks: Run a source code scanning tool over the software base and analyze results. Address all flagged licensing conflicts flagged by the scanning tool. Oversee the closure of all issues identified by scanning tools. Create a final audit report and ensure that all identified issues have been closed. Legal Provide guidance on licensing. Contribute to and approve training. Review and approve list of obligations to fulfill. Review and approve open source notices. Engineering & Product Teams Follow compliance policies and processes. Integrate compliance practices in dev process. Conduct design, architecture, and code reviews. Prepare software packages for distribution. IT & Supply Chain Mandate third party software providers to disclose open source in licensed or purchased software components. Assist w/ingress of third party software (commercial and open source software). Support and maintenance for tools infrastructure used by the compliance program. Create and/or acquire new tools based on OSPO requests. Documentation & Localization Include open source license information and notices in the product documentation. Translate basic information in target languages about open source information related to the product or software stack. Corporate Development Request open source compliance be completed before a merger or acquisition. Request open source compliance be completed when receiving source code from outsourced development centers or third-party software vendors. Human Resources Build, retain, and attract talent 

CONTINUAL COMPLIANCE PROCESS CONTINUAL COMPLIANCE PROCESS @lcalcote the "74%" of an OSPO's role Request approval before using. Initial and on-going scans of existing code bases. 

CONTINUAL COMPLIANCE PROCESS CONTINUAL COMPLIANCE PROCESS @lcalcote Two points of ingest the "74%" of an OSPO's role Request approval before using. Initial and on-going scans of existing code bases. 

TOP 3 WAYS TOP 3 WAYS SUCCESS IS SUCCESS IS MEASURED MEASURED @lcalcote Measuring and monitoring success. 

OSPO DASHBOARD OSPO DASHBOARD @lcalcote For your code and third-party code Security Identified security vulnerabilities Static vulnerability analysis Compliance Flagged license compliance Status of scans Contribution Missing contribution guides Unsigned CLAs Outstanding contribution requests Community Events Repo stats: stars, PRs, commits, issues CHECKLIST CHECKLIST 

ESTABLISHING AN OSPO ESTABLISHING AN OSPO @lcalcote Hire a believer; a champion Open source pragmatists are everywhere, but your innovative, forward-thinking, ambitious open source advocate is an extremely valuable rarity. Hire them to run your open source programs if you want to make a difference. 

ESTABLISHING AN OSPO ESTABLISHING AN OSPO @lcalcote Hire a believer; a champion Open source pragmatists are everywhere, but your innovative, forward-thinking, ambitious open source advocate is an extremely valuable rarity. Hire them to run your open source programs if you want to make a difference. Open source programs tend to start informally as a working group or a few key open source developers and then evolve into formal programs over time... ...typically within a company’s software engineering or development department (about 41% of programs). 

TOP TOP CHALLENGES CHALLENGES @lcalcote Open Source Programs Survey 1. Strategy planning 2. Defining policies 3. Executive support 

CHALLENGE #3 CHALLENGE #3 @lcalcote Open source software is more than free software Most tech company executives are far-removed from open source communities. Most don't understand many of the motivations for participants, nor do they understand the nuanced differences in licensing models, various types of productization and business models, or how proprietary and open source software can be used in conjunction to create a better product line. 

KEEP THE FAITH KEEP THE FAITH @lcalcote The benefits of an open source program are widely known, with 70% of those without a program believing it would have a positive impact in their company, despite any barriers to creating it. 

RESOURCES RESOURCES Supporting Groups: TODO Group The Linux Foundation @lcalcote many thanks to these open stewards OSPO Case Studies: Autodesk Capital One Comcast Dropbox Facebook Google Microsoft Oath RedHat Salesforce 

LEE CALCOTE LEE CALCOTE THANK YOU. THANK YOU. QUESTIONS? QUESTIONS? clouds, containers, functions, applications and their management linkedin.com/in/leecalcote @lcalcote gingergeek.com calcotestudios.com/talks github.com/leecalcote [email protected]