Stratégie, risques liés à l'adoption de l'open source... Comment un modèle de gouvernance fort peut rendre votre parcours open source le plus efficace.
2. $8.1Bn
Active
global clients*
Employee Count* Countries with
Employee presence*
1060 57174,850
IT Services Revenue
in FY 2018-19
*Figures based on Q1 2019-20 for Global IT Services business
25,000+
open source
developers
Active participants in
20+ communities
and foundations
1000+ global enterprise
open source
projects
Wipro Today
3. Why Do I Need Governance In Open Source?
• Get all the benefitsfrom adoption
• Innovation
• Flexibility
• HR
• TCO
• Addresses core complexities of Open Source adoption
• Risk management and mitigation
• Security
• Licenses
• Versioning
4. Open Source evolution • Many organizations early on
would not allow Open Source
• Developers push to include
Open Sourceto drive
innovation and improve
efficiency
• Ops migration to Linux from
traditional Unix or Mainframe
• Business buy in and adoption
of processes to drivestrategy
to reduce costand improve
time to market
No Open
Source
Developer
driven
Developer
and Ops
Driven
Governance
and Business
Driven
GenerationI GenerationII GenerationIII GenerationIV
5. • According to the Red Hat Open SourceSurvey therehas
been an 69% increasein usage since April of 2018
• Adoption of Open Sourceto supportindustry trends like
cloud, serverless and microservices technologies
• Even Microsofthas jumped headfirstinto the pool
announcing its commitment to Open Sourceand
acquiring GitHub
• Companies like IBMrecently acquiring Red Hat,
Salesforcepurchasing MuleSoft, and others are
beginning to narrow the commercialOS vendor field
Why Open Source in the Industry
90%
10%
Usage
Open Source Adopters
No Open Source
6. Challenges and Misconceptions in Open Source Adoption
– Yesterday and Today
• Historically many enterpriseprocesses required strictadherenceto commercially
licensed software
• Lack of adequately trained resources in Open Source
• More tools means moremanagement
• Integration with proprietary tools can be difficult
• Supportmodel: community vs vendor
• Open Sourceprovides instantcostbenefit
• Open Sourceis not securebecause it is community driven
• Open Sourceis not stable
• Licensing is licensing. No differentthan proprietary softwareright?
• Commercial is not Open Source
• Community vs Commercial vs Proprietary
7. IT Governance
• Processes and methodologies to
enable an organization’s strategic
business goals through defined IT
services, softwareand infrastructure.
• Reduces potential risks related to
lack of policies, processes and
standards acrosstheenterprise.
ITGovernance
Value Delivery
Strategic
Alignment
Performance
Management
Resource
Management
Risk and
Compliance
Management
8. Open Source Considerations
• Open source may not be the immediatecost benefit expected
• Patches and upgrades are frequent and often faster than proprietary
• Lack of properly inventoriedOpen Source toolingacross applications
can lead to integration,security, license and maintenanceissues
• Vulnerabilitiesare not uniqueto Open Source
• Open Source licensing complexitiescan cause major issues if not
managed properly
• Selecting the best support model depending on availableskillsvs
cost of support
9. The Case for Enterprise Open Source Governance
• Although there are reportedly 20 main Open Source
licenses used by nearly 98% of the Open Sourceand OSI
has approved 82 licenses, companies like Black Duck have
found as many as 2500 availableon the internet
• Company implementations of Brown or Red shiftprojects
will continue to see an increasein Open Sourceand Cloud
adoption
• Often Open Sourcetools are a vastpool of possibilities with
variantcommunity involvement
• Do you know how many differentgroups areimplementing
Open Sourcein your organization?
96%
4%
Open Source in the Industry
Adopted OS None
2018 Code Base License
Conflicts
Without Conflict With Conflicts
68%
10. Open Source and Security
• Mostvulnerabilities can be found in software, beit proprietary or Open Sourceor
customdue to lack of patched software
• Community Open Sourceis typically faster to address and release patches than large
proprietary software
Vulnerabilities
One <= None
Vulnerabilities in Top 100
Projects
One <= None
*Blackduck *Whitesoure
Vulnerabilities over
10 yrs old
10 years < < 10 Years
*Whitesoure
11. Open Source Repository Management
• Community vs Commercial versioning
• Patches and features notconsidered stable by Supported Commercial Vendor
• Productof release cycles in a commercialworld
• Governing teams usageof versions to assureissues with stability is key
• Manage a set of governancetooling to track versions of all used softwareand licenses to
assurestability and compliance
• Security vulnerability / CVE tracking and mitigation
Licenseand Vulnerability Management
Code Repo
Deploy andRelease
Artifact RepoBuild/Dependency
12. Is your Organization Ready for Open Source ?
• Developers often drive the useof Open Source
without collaboration or alignment to
business strategy
• Siloed groups within the organization
• Security groups often shut down Open Source
without support
• Culture ready for change
• Existing Governanceprocesses?
OS Strategy
Culture
Governance
Community
Product
13. Offering Open Source, Protecting Your Offering
• You have decided to be an innovatorand offer to the community
• Do you throw it out on GitHub and hope for the best?
• Open Source doesn’t mean you can’t still have proprietary IP
• Open Source IP handled through appropriatelicensing and copyright
• Software is generally copyright protected
• Licensing gives permission for use and redistributionand
controlscontribution
• Processes for managing use of code through licensing agreements or
auditingGitHub downloads
14. Building a Governance Model
OrganizationalStructure
1. Build Business Road-map
2. Determine current Open Source
utilization
3. Defined OperationModel
4. Clear Roles and Responsibilitiesfor
Stakeholders
5. Defined metrics and KPIs
6. SDLC of services
Policies and Standards
1. Defined BestPractices formanaging
Open Source
2. DevelopmentStandards
3. Define Team ownership
4. CommunicationPolicies
5. Defined owners of enforcementof
policies and standards
6. Change Management Policies
7. Building guidelines for COE
8. Contribution policy
9. Community/ecosystemengagement
models
15. Building a Governance Model (cont.)
Risk Assessmentand Mitigation plan
1. Assure compliance with state and
federalregulations where applicable
2. Defined and implemented
InformationSecurity practices
3. Risk Mitigation Strategy clearly
defined
4. OS management and framework
governance
5. Rollback and failure plan for
Automated CICD
6. Defined Continuous monitoring plan
for all OpenSource software and
hardware
3rd Party Management
1. License management
2. 3rd party audit of internal Open Source
components
3. AssessLegalcompliance by Vendors
4. Define processes forupgrades,patches
and regular maintenance
5. Supportmodelselectionpolicy
16. Resources
Documents
1. 2019 OpenSource Security and RiskAnalysis by Synopsis Cyber Security
ResearchCenter and Black Duck
2. The State of Open Source Vulnerabilities Management Report, WhiteSource
3. Gartner and Forresterannual reports on OpenSource
Acknowledgements
Thank you to the following people forreview and recommendations
• Andrew Aitken, GM & Global Open Source Practice Leader
• Sreekanth Nyamars, Open Source COE Lead
• Eric Tice, Global Open Source SME Lead