A Walk through the OSPO Five-stage Model Open Source Lisbon | October 12 Ana Jiménez Santamaría @anajsana95 

> Formerly at Bitergia Spent +3 years experience helping organizations in their InnerSource and Open Source metrics journey > OSPO PM at TODO Group of practitioners advocating for #OSPO education and adoption across organizations worldwide through networking, training, research, guides, tools and more > MSc in Data Science > Involved in other OS Communities CHAOSS, OpenChain, TODO, InnerSource Commons, DevRel Collective, DevRel Spain 

Ana Jiménez | @anajsana95 What are the potential risks for the open source ecosystem if organizations do open source incorrectly? 

Ana Jiménez | @anajsana95 What are the potential risks for the open source ecosystem if organizations do open source incorrectly? What is the cost of doing business for organizations if they do open source incorrectly? 

of popular projects contain known vulnerabilities 1 of non-popular projects contain known vulnerabilities 1 29% 6.5% 1,2 Sonatype, 2020 and 2021 State of the Software Supply Chain Not all parts are created equal 90% 10% of a modern application’s code base is open source2 custom code 

90% of IT leaders are using enterprise open source today (RedHat) 91% of Commercial Applications Contain Outdated or Abandoned Open Source Components (Synopsis) Organizations not being conscious of open source nowadays Ana Jiménez | @anajsana95 

(CISO) Chief Information Security Officer Role within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. 

// Open Source Program Office (OSPO) https://github.com/todogroup/ospodefinition.org Ana Jiménez | @anajsana95 

Ana Jiménez | @anajsana95 ADOPTING A STRATEGIC POSTURE AROUND OPEN SOURCE IS NO LONGER OPTIONAL 

OSPO Responsibilities 📘 Develop and Execute Open Source Strategy 🧭 Eliminate Friction from Using and Contributing to Open Source 🖥 Manage Open Source IT Infrastructure 📚 Give Advice on Open Source 🫶 Grow and Retain Open Source Talent Inside the Organization 🤝 Implement InnerSource Practices ⏱ Track Performance Metrics 🤝 Collaborate with Open Source Organizations 📈 Prioritize and Drive Open Source Upstream Development 📝 Establish and Improve Open Source Policies and Processes 🔍 Oversee Open Source Compliance 📒 Support Corporate Development Activities Ana Jiménez | @anajsana95 

// Frequent Questions 🤝 Does an OSPO fit for my organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95 

// Frequent Questions 🤝 Does an OSPO fit for my organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95 

Ana Jiménez | @anajsana95 OSPOs can take many flavors 

No content

landscape.todogroup.org 

Ana Jiménez | @anajsana95 Which OSPO story can you relate with? 🚀 Growing OSPO Seen as critical asset in the organization There is a continuous evolution 🔒 Locked OSPO Not seen as a critical asset No/ low decision power: Either they perished or are just maintained Some Successful stories can be found at: ● OSPOlogy ● OSPO Use cases 

Ana Jiménez | @anajsana95 Case Study: Oficinas de Software Libre (Open Source /FOSS Offices) in Spain https://www.uco.es/aulasoftwarelibre/directorio-de-oficinas-de-software-lib re/ 

Ana Jiménez | @anajsana95 Approach: ● Top-down AND bottom up ● Infuse open source understanding to all parties ● Build a matrix of experts and act as the linchpin // OSPOs are nurtured from multiple angles Either where the need came from, make sure to build strong communication channels. 

Ana Jiménez | @anajsana95 

Open source is the life-blood for many of the small businesses represented in this study. OSPOs continue to be seen as extremely or very critical to the success engineering or product teams. However, respondents at organizations with less than 50 employees are twice as likely to believe the efforts are extremely critical as compared to those at organizations with 1,000 or more employees https://github.com/todogroup/osposurvey Ana Jiménez | @anajsana95 

https://github.com/todogroup/osposurvey Ana Jiménez | @anajsana95 

// Frequent Questions 🤝 Does an OSPO fit for my organization? 🧩 When is the best time to start an OSPO? 🚀 How my organization can pave the path to build an OSPOs? Ana Jiménez | @anajsana95 

No content

@anajsana95 // @todogroup // OSPO Characteristics 

// Frequent Questions 🤝 Does an OSPO fit for my organization? 🧩 When is the best time to start an OSPO? 🚀 How can my organization pave the path to build an OSPOs? Ana Jiménez | @anajsana95 

OSPO Responsibilities 📘 Develop and Execute Open Source Strategy 🧭 Eliminate Friction from Using and Contributing to Open Source 🖥 Manage Open Source IT Infrastructure 📚 Give Advice on Open Source 🫶 Grow and Retain Open Source Talent Inside the Organization 🤝 Implement InnerSource Practices ⏱ Track Performance Metrics 🤝 Collaborate with Open Source Organizations 📈 Prioritize and Drive Open Source Upstream Development 📝 Establish and Improve Open Source Policies and Processes 🔍 Oversee Open Source Compliance 📒 Support Corporate Development Activities Ana Jiménez | @anajsana95 

@anajsana95 // @todogroup 

@anajsana95 // @todogroup Adapt and find your way 

Legal-Driven Stage Organizations in Stage 1 recognize that OSS is a key part of their business and technology strategy. They understand that the security practices of OSS projects differ from those of proprietary software companies. Organizations must identify their legal and security risks. Risk mitigation strategies include: ● Careful licensing ● Developer education ● Inventory-taking. Ana Jiménez | @anajsana95 

Legal-Driven Stage Some useful resources to get started Training: ● Secure software fundamentals ● Implementing open source license compliance management ● OS licenses and compliance basis - OSPO 101 module 5 Playbooks /practical implementation ● Implement ISO/IEC 5230 specification through the lens of an OSPO ● Open Source Policy Examples and Templates Tooling: - SCA tooling - Metrics - Project quality - Documentation Projects Ana Jiménez | @anajsana95 

Community-Driven Stage (part 1) OSPOs in Stage 2 create internal mechanisms such as ambassadors who promote usage of approved OSS products, educational programs on good OSS hygiene, technical training or skill building and certification in OSS, etc. With these initiatives, an organization can grow its use of OSS and amplify the message that OSS is not only important but desirable and preferable to proprietary software products within the organization Ana Jiménez | @anajsana95 

Community-Driven Stage (part 1) Ana Jiménez | @anajsana95 Some useful resources to get started Practical implementation ● InnerSource Patterns: implement innersource principles to : ○ Help nurturing the open source culture ○ Ease internal communication ● Tooling - Documentation Projects 

Community-Driven Stage (part 2) As they advance in Stage 2, organizations begin incentivizing their developers to work on OSS projects critical to their operations, to the degree that developers become highly active contributors or primary maintainers. ● OSPOs begin to streamline and optimize open outbound source contributions for their developers. ● OSPOs create and launch open source projects establish broad credibility in the open source community Ana Jiménez | @anajsana95 

Community-Driven Stage (part 2) Ana Jiménez | @anajsana95 Some useful resources to get started Training: ● OSPO 101 module 7 ● OSPO module 4 - Effective OS Development & Participation ● WIP: OSPO 101 extension modules!! Practical implementation ● Outbound Open Source Guide (OSPO/TODO Guide) ● OSPO Metrics working group ● Defining OSPO policies (OSPO 101 modules) Tooling: ● Metrics 

Engagement-Driven Stage In Stage 3, organizational leaders support incubating and launching open source projects into the public sphere because they understand how these projects benefit their organization. These projects tend to offer better performance and crucial capabilities critical to its technology infrastructure. OSPO develops internal processes, playbooks, checklists, tooling, and other mechanisms to vet, organize, and operate open source projects and to prepare and coach their leaders. Ana Jiménez | @anajsana95 

Engagement-Driven Stage Ana Jiménez | @anajsana95 Some useful resources to get started Guides: ● Participating in open source communities Practical implementation ● Open Source Policy Examples and Templates ● Outbound Open Source Guide (OSPO/TODO Guide) ● Community health Metrics Standards - OSPO WG Tooling: - Metrics - Documentation Projects 

Leadership-Driven Stage The OSPO becomes a strategic partner for technology decisions, helping to guide choices and shape long-term commitments to projects. Three types of strategic guidance: ● Advises the CTO and technology leadership on open source technologies to adopt / remove from the organization’s technology stack. ● Take the lead on benchmarking what constitutes an acceptable OSS project ● Help organizations understand and navigate project governance Ana Jiménez | @anajsana95 

Leadership-Driven Stage Ana Jiménez | @anajsana95 Some useful resources to get started Guides ● https://todogroup.org/guides/bui lding-leadership/ Practical implementation ● Outbound Open Source Guide (OSPO/TODO Guide) ● OSPO Metrics working group Tooling: ● Metrics 

When starting an OSPO… 🚀 Have clear goals 🧭 Find your way 💚 Collaborate @anajsana95 // @todogroup 

// Learn more Communication channels: GitHub, Slack, Twitter, LinkedIn TODO Guides & Resources: https://todogroup.org/guides/ 

Thank You!