Presented at Open Source 101 2023 - Charlotte Presented by Paula Paul NearForm Title: Zen and the Art of Organizational Open Source Abstract: Open source software and communities can drive meaningful change in organizations. What lessons can we take from open source to drive change in our own organizations? On the surface, most organizations and stakeholders will embrace open source. However, what does it mean to go deep and embrace the true values and goals of open source, but also drive business value in your organization? This talk presents a case study of creating a new open source project at a large enterprise and explores the successes, challenges, and downright failures along the way. The talk presents the lessons learned and takeaways that we can all apply in our own organizations. Enterprises and organizations know that they are powered by open source, but it’s not always easy to live open source. Creating a community to support an open source project can have a huge return on investment. Have you ever tried to convince your employer to make a project open source? Then this talk is for you. Open source runs the world!

1. Driving Organizational
Change and Value with
Open Source

2. Driving Organizational
Change and Value with
Open Source

3. The Yin and Yang of OSS Consumption and Contribution
Zen and the Art of
Organizational Open Source
Paula Paul

4. 4
Cody Zuschlag
codyzus
Staff Developer Relations Engineer @NearForm
Instructor @ Université Savoie Mont Blanc
France

5. 5
Paula Paul
paulapaultweets
Field CTO of DX @NearForm
Board Member OpenJS Foundation
Open Source Day Committee Grace Hopper
Celebration
Many other shenanigans…
At large…

6. 6
Minimize effort
Maximize value
It takes practice!
The Zen
of
Open Source
Consume
Contribute

7. 7
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Practice & Automation for
min effort / max value

8. Awareness

9. Why should
organizations care
about open source?

10. 10
It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of
any given piece of modern software solutions.
From: A Summary of Census II: Open Source Software Application Libraries the World Depends On
The World Runs on Open Source

11. 11

12. 12
From: From: Measuring
the Economic Value of
Open Source
How much value do you realize? Do you want more?

13. Why Now?

14. 14
The Open Source Landscape is Evolving (rapidly!)
Build-vs-Buy
becomes Compose-
vs-Buy
Invest in People vs
Maintenance fees
for COTS or SaaS
Recruiting/Retention
Time to Market
Innovation
Differentiation
Strategic Control
OSS is accelerating
Value is accelerating
OSS Solutions
Viable solutions to
replace SaaS & COTS

15. 15
Optimize consumption
& contribution to
maximize value
Where is your sweet spot?
Create

16. 16
What is your Zen?
● Attracting & retaining talent
● Innovation
● Lower maintenance costs
○ Reduce/avoid fees
○ Impact feature roadmap, TTM
● Improve dev ex (internal & external)
● Brand recognition
● Reinforce corporate goals & values
○ Sustainability
○ Community

17. 17
Reaching Zen in OSS
5. Enlightenment
4. Acceptance
3. Bargaining
2. Fear
1. Denial
Awareness
Safe Consumption
Strategic
Contribution

18. 18
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Repeated Practice &
Automation to minimize effort

19. Safe Consumption
Consume
Contribute

20. 20
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
The OSS security landscape has changed rapidly

21. 21
Understand Threats, Embrace Threat Modeling

22. 22
From: Dependency Confusion and Substitution Attacks
Understand your dependencies & supply chain

23. 23
From OWASP.org: DevSecOps Guideline - v-0.2
Fortunately, automation and tooling has kept up
● Software Bill of Materials (know and audit your dependencies)
○ awesomeSBOM
● Automated dependency updates
○ Dependabot
● FOSS SAST/DAST
○ OWASP Top Ten
○ Bearer
○ Is My Node Vulnerable?
○ Mend.io OSS Tools
○ Synk Open Source
○ Socket
Please Lint for Secrets!

24. 24
Start Small: OSPO Working Group
Getting Started
● Identify Executive Sponsor
● Define simple Ways of Working for the OSPO WG / OSS ‘practice’
○ Use GitHub! (like the Linux Foundation)
○ Adopt ADRs! (we can help)
● Identify Strategic OSS Dependencies
○ E.g. Node, React… (start with a small number then expand)
● Identify target versions for Strategic OSS Dependencies, adopt SBOMs
○ Automate SBOMs and conformance checking (e.g. Linting, CLOMon)
● Set goals for OSS Policy, automate metrics and conformance
○ Contribution to projects you consume (employee agreements, CLAs, Legal)
○ Contributing your projects (licensing, hosting, sponsorship, accountability)
○ Time allocated for all employees to learn, participate, and contribute to OSS

25. 25
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
Start Small: OSPO Working Group
Practice, learn, and evolve over time, to:
○ Expand the footprint of technologies under the OSPO
○ Create additional automation and conformance checks
○ Sponsor internal Hackathons and OSS Innovation Labs
○ Own and sponsor public facing OSS assets
■ OSS Projects, NPM Registries, GitHub Organizations
○ Participate in public OSS Working Groups and Hackathons
■ OpenJSF / OpenSSF / FINOS / Green Software Foundation
■ Linux Foundation Public Health
■ Grace Hopper Open Source Day!
○ Build community, contribute to recruiting & retention through OSS

26. 26
OSS is a Practice!
Balance -
- Safe Consumption
- Strategic Contribution
(not just one or the other)
Consume
Contribute

27. 27
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Repeated Practice &
Automation to minimize effort

28. Strategic Contribution
Consume
Contribute

29. 29
Lessons from the field
1. Publishing new projects
○ If you build it, they may not come…
○ All this work for such a small package!
2. Contributing to existing projects
○ Avoid dual maintenance (inner/OSS)
○ Ownership and IP
○ Harnessing Community as an
extension of your Engineering team

30. 30
Starting Small
● Pick a small project
○ Solve an issue for your team!
○ Create a better mousetrap :)
● Avoid huge investments of time & $
● Automate OSS best practices
○ Get to know the TODO Group
○ Repolinter - OSS best practices
● Become familiar with CLOMon
● Consider Backstage for Governance

31. 31
CLOMon, from CNCF - Open Source Health Dashboard
OSS Health - CLOMon, brand as your OSS dashboard

32. 32
OSPO
OSS Policies / Open Source Days
OSS Developer Experience and Governance

33. 33
Spotify Backstage (OSS) - Engineering Governance

34. 34
Having multiple models for these different
cases that are then combined to form final
customer predictions allows us to account
for these differences.
Open Source Innovation is part
of the NearForm Identity
It is who we are.
People
● Recruiting: We can leverage
open source activities/thought
leadership to attract talent.
● Retention: We can give people
opportunities to ‘do the fun
work’ in open source as part of
our Open Source Policy.
● Training and upskilling: The DX
team is able to pair with core
delivery engineers to upskill and
train them on strategic tech and
how to engage in Open Source.
Brand and Visibility
● The DX team are technology
‘influencers’ via social media,
conference presentations, VLogs,
Twitch live coding, and more.
● OSPO tracks strategic OSS projects for
visibility and contribution.
● The DX team provides service
offerings.
● The DX team incubates new service
offerings based on Open Source
innovation (e.g. Lyra/Orama).
DX-OSS at NearForm
Open Source Leadership and Innovation
● OSPO and OSS Policy.
● Visible participation in Open Source
committees & working groups, with
related content.
● Based on input form working groups
and from core delivery, produce
working code that demonstrates
thought leadership and innovation.
● Offer Open Source Program Office and
Innovation Lab creation services to
clients to ignite innovation and
excitement in their technology teams.

35. OSS at NearForm
We work directly with the Open Source Security
Foundation to ensure the security of the JS
ecosystem
We are co-chairing Open Source Day with the
Grace Hopper Celebration to promote diversity &
inclusion in OSS
Our DX team includes one member of the Node
Technology Steering Committee, and three Node
Core Contributors
We sit on the board of the OpenJS Foundation,
and participate as Associate Members of FINOS
(Financial Services Open Source)
LF Public Health showcases our work on the
COVID App
We are contributing to the FINOS Accessibility
Hackathon to improve end to end accessibility
through Open Source

36. Where to start?
Consume
Contribute

37. Where are we?
Are there areas for growth?

38. 38
Denial
● “We don’t do OSS”
● All closed source, commercially
licensed software
● OSS prohibition - fears about
security and supply chain

39. 39
Fear
● Tightly controlled supply chain
● Devs struggle to be productive
○ shadow IT

40. 40
Bargaining
● Open supply chain
● Devs contribute only to
controlled supply chain
● No contributions to public OSS
projects
● “InnerSource” vs Open Source
● No OSS Policy

41. 41
Acceptance
● Developers empowered to use
and contribute to OSS
● Adhoc non-optimized
community contributions
● Part of OSS ecosystem, but
not organized initiative
● Discussions of OSPO & Policy

42. 42
Enlightenment
● Strategic OSS dependencies
known and leveraged for value
● OSS drives innovation,
engagement, growth, & retention
● Measuring contributions & ROI
○ Org & community
● OSPO and OSS policy
○ Automated conformance
○ Education on legal aspects
○ Time for contribution
○ OSS Health Dashboard
● Actively participate in OSS
foundations/standards groups

43. 43
Your OSS Practice
● Areas for growth?
○ Awareness?
○ Safe Consumption?
○ Strategic Contribution?
● What are your goals?
○ Reduce COTS/SaaS Cost?
○ Understand OSS alternatives?
● Innovation & differentiation
○ OSS for competitive advantage
○ OSS to differentiate
○ OSS to innovate

44. Where to Start?
Consume
Contribute

45. 45
Effort vs Value
What are your goals?
- Safe Consumption & Supply Chain?
- Recruiting & Retention?
- Developer Experience? Community?
- Time to Market?
- Reduced COTS & SaaS Cost?

46. 46
Measure & Automate
Start Small - one exercise at a time
- Awareness
- OSS as part of onboarding
- Simple OSS Policy
- Education, time, metrics
- Safe Consumption
- Identify critical dependencies
- Keep dependencies current
- Supply chain automation
- Strategic Contribution
- Solve a business need
- Publish your first project, learn

47. 47
Consume
Contribute
Minimize effort
Maximize OSS value
Balanced Practice

48. 48
nearform.com
WE’RE BOLD
WE’RE FLEXIBLE
WE’RE OPEN
WE’RE EMPOWERING
follow us on
Major Contributors to the
Open Source Web Platform
Represents modules used globally
8%
NPM monthly downloads
1B
Global Delivery and OSS Innovation

49. 49
Questions?