SlideShare a Scribd company logo

#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Limited

Paris Open Source Summit
Paris Open Source Summit

Stratégie, risques liés à l'adoption de l'open source... Comment un modèle de gouvernance fort peut rendre votre parcours open source le plus efficace.

Software
1 of 18
Download to read offline
Understanding Open Source Governance Gilles Gravier Director, Senior Advisor – Open Source Strategy Wipro Technologies @gravax
$8.1Bn Active global clients* Employee Count* Countries with Employee presence* 1060 57174,850 IT Services Revenue in FY 2018-19 *Figures based on Q1 2019-20 for Global IT Services business 25,000+ open source developers Active participants in 20+ communities and foundations 1000+ global enterprise open source projects Wipro Today
Why Do I Need Governance In Open Source? • Get all the benefitsfrom adoption • Innovation • Flexibility • HR • TCO • Addresses core complexities of Open Source adoption • Risk management and mitigation • Security • Licenses • Versioning
Open Source evolution • Many organizations early on would not allow Open Source • Developers push to include Open Sourceto drive innovation and improve efficiency • Ops migration to Linux from traditional Unix or Mainframe • Business buy in and adoption of processes to drivestrategy to reduce costand improve time to market No Open Source Developer driven Developer and Ops Driven Governance and Business Driven GenerationI GenerationII GenerationIII GenerationIV
• According to the Red Hat Open SourceSurvey therehas been an 69% increasein usage since April of 2018 • Adoption of Open Sourceto supportindustry trends like cloud, serverless and microservices technologies • Even Microsofthas jumped headfirstinto the pool announcing its commitment to Open Sourceand acquiring GitHub • Companies like IBMrecently acquiring Red Hat, Salesforcepurchasing MuleSoft, and others are beginning to narrow the commercialOS vendor field Why Open Source in the Industry 90% 10% Usage Open Source Adopters No Open Source
Challenges and Misconceptions in Open Source Adoption – Yesterday and Today • Historically many enterpriseprocesses required strictadherenceto commercially licensed software • Lack of adequately trained resources in Open Source • More tools means moremanagement • Integration with proprietary tools can be difficult • Supportmodel: community vs vendor • Open Sourceprovides instantcostbenefit • Open Sourceis not securebecause it is community driven • Open Sourceis not stable • Licensing is licensing. No differentthan proprietary softwareright? • Commercial is not Open Source • Community vs Commercial vs Proprietary
IT Governance • Processes and methodologies to enable an organization’s strategic business goals through defined IT services, softwareand infrastructure. • Reduces potential risks related to lack of policies, processes and standards acrosstheenterprise. ITGovernance Value Delivery Strategic Alignment Performance Management Resource Management Risk and Compliance Management
Open Source Considerations • Open source may not be the immediatecost benefit expected • Patches and upgrades are frequent and often faster than proprietary • Lack of properly inventoriedOpen Source toolingacross applications can lead to integration,security, license and maintenanceissues • Vulnerabilitiesare not uniqueto Open Source • Open Source licensing complexitiescan cause major issues if not managed properly • Selecting the best support model depending on availableskillsvs cost of support
The Case for Enterprise Open Source Governance • Although there are reportedly 20 main Open Source licenses used by nearly 98% of the Open Sourceand OSI has approved 82 licenses, companies like Black Duck have found as many as 2500 availableon the internet • Company implementations of Brown or Red shiftprojects will continue to see an increasein Open Sourceand Cloud adoption • Often Open Sourcetools are a vastpool of possibilities with variantcommunity involvement • Do you know how many differentgroups areimplementing Open Sourcein your organization? 96% 4% Open Source in the Industry Adopted OS None 2018 Code Base License Conflicts Without Conflict With Conflicts 68%
Open Source and Security • Mostvulnerabilities can be found in software, beit proprietary or Open Sourceor customdue to lack of patched software • Community Open Sourceis typically faster to address and release patches than large proprietary software Vulnerabilities One <= None Vulnerabilities in Top 100 Projects One <= None *Blackduck *Whitesoure Vulnerabilities over 10 yrs old 10 years < < 10 Years *Whitesoure
Open Source Repository Management • Community vs Commercial versioning • Patches and features notconsidered stable by Supported Commercial Vendor • Productof release cycles in a commercialworld • Governing teams usageof versions to assureissues with stability is key • Manage a set of governancetooling to track versions of all used softwareand licenses to assurestability and compliance • Security vulnerability / CVE tracking and mitigation Licenseand Vulnerability Management Code Repo Deploy andRelease Artifact RepoBuild/Dependency
Is your Organization Ready for Open Source ? • Developers often drive the useof Open Source without collaboration or alignment to business strategy • Siloed groups within the organization • Security groups often shut down Open Source without support • Culture ready for change • Existing Governanceprocesses? OS Strategy Culture Governance Community Product
Offering Open Source, Protecting Your Offering • You have decided to be an innovatorand offer to the community • Do you throw it out on GitHub and hope for the best? • Open Source doesn’t mean you can’t still have proprietary IP • Open Source IP handled through appropriatelicensing and copyright • Software is generally copyright protected • Licensing gives permission for use and redistributionand controlscontribution • Processes for managing use of code through licensing agreements or auditingGitHub downloads
Building a Governance Model OrganizationalStructure 1. Build Business Road-map 2. Determine current Open Source utilization 3. Defined OperationModel 4. Clear Roles and Responsibilitiesfor Stakeholders 5. Defined metrics and KPIs 6. SDLC of services Policies and Standards 1. Defined BestPractices formanaging Open Source 2. DevelopmentStandards 3. Define Team ownership 4. CommunicationPolicies 5. Defined owners of enforcementof policies and standards 6. Change Management Policies 7. Building guidelines for COE 8. Contribution policy 9. Community/ecosystemengagement models
Building a Governance Model (cont.) Risk Assessmentand Mitigation plan 1. Assure compliance with state and federalregulations where applicable 2. Defined and implemented InformationSecurity practices 3. Risk Mitigation Strategy clearly defined 4. OS management and framework governance 5. Rollback and failure plan for Automated CICD 6. Defined Continuous monitoring plan for all OpenSource software and hardware 3rd Party Management 1. License management 2. 3rd party audit of internal Open Source components 3. AssessLegalcompliance by Vendors 4. Define processes forupgrades,patches and regular maintenance 5. Supportmodelselectionpolicy
Resources Documents 1. 2019 OpenSource Security and RiskAnalysis by Synopsis Cyber Security ResearchCenter and Black Duck 2. The State of Open Source Vulnerabilities Management Report, WhiteSource 3. Gartner and Forresterannual reports on OpenSource Acknowledgements Thank you to the following people forreview and recommendations • Andrew Aitken, GM & Global Open Source Practice Leader • Sreekanth Nyamars, Open Source COE Lead • Eric Tice, Global Open Source SME Lead
Questions Twitter: @gravax LinkedIn: https://www.linkedin.com/in/gillesgravier/ Email: gilles.gravier@wipro.com
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Limited

Recommended

Cloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal GovernmentCloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal Government
scoopnewsgroup
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Four Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source PolicyFour Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source Policy
iasaglobal
 
The Netizen Approach to Security and Innovation
The Netizen Approach to Security and InnovationThe Netizen Approach to Security and Innovation
The Netizen Approach to Security and Innovation
Netizen Corporation
 
Pentest as a Service Impact 2020
Pentest as a Service Impact 2020Pentest as a Service Impact 2020
Pentest as a Service Impact 2020
DevOps.com
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
EnergySec
 
SAM and Security Teams Must Join Forces to Enhance Security
SAM and Security Teams Must Join Forces to Enhance SecuritySAM and Security Teams Must Join Forces to Enhance Security
SAM and Security Teams Must Join Forces to Enhance Security
Flexera
 

Recommended

Cloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal GovernmentCloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal Government
scoopnewsgroup
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Four Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source PolicyFour Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source Policy
iasaglobal
 
The Netizen Approach to Security and Innovation
The Netizen Approach to Security and InnovationThe Netizen Approach to Security and Innovation
The Netizen Approach to Security and Innovation
Netizen Corporation
 
Pentest as a Service Impact 2020
Pentest as a Service Impact 2020Pentest as a Service Impact 2020
Pentest as a Service Impact 2020
DevOps.com
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
EnergySec
 
SAM and Security Teams Must Join Forces to Enhance Security
SAM and Security Teams Must Join Forces to Enhance SecuritySAM and Security Teams Must Join Forces to Enhance Security
SAM and Security Teams Must Join Forces to Enhance Security
Flexera
 
Benefits of Software Asset Management
Benefits of Software Asset ManagementBenefits of Software Asset Management
Benefits of Software Asset Management
Iskandar Ahmat
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
Black Duck by Synopsys
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Perficient
 
Moving to unified PV: Transforming Safety with End-to-end PV Solutions
Moving to unified PV: Transforming Safety with End-to-end PV SolutionsMoving to unified PV: Transforming Safety with End-to-end PV Solutions
Moving to unified PV: Transforming Safety with End-to-end PV Solutions
Veeva Systems
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
ControlCase
 
NTAP & LSC Tech Survey Highlights
NTAP & LSC Tech Survey HighlightsNTAP & LSC Tech Survey Highlights
NTAP & LSC Tech Survey Highlights
Legal Services National Technology Assistance Project (LSNTAP)
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
ITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORKITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
Oracle
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
Oracle
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
ControlCase
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139
evaleng2
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
ControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
ControlCase
 
AdminStudio Suite Datasheet
AdminStudio Suite DatasheetAdminStudio Suite Datasheet
AdminStudio Suite Datasheet
Flexera
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
dennisn129
 
Hybrid Development Webinar - English
Hybrid Development Webinar - EnglishHybrid Development Webinar - English
Hybrid Development Webinar - English
CollabNet
 

More Related Content

What's hot

New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
Black Duck by Synopsys
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Perficient
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
Oracle
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139
evaleng2
 

What's hot (20)

Benefits of Software Asset Management
Benefits of Software Asset ManagementBenefits of Software Asset Management
Benefits of Software Asset Management
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
 
Moving to unified PV: Transforming Safety with End-to-end PV Solutions
Moving to unified PV: Transforming Safety with End-to-end PV SolutionsMoving to unified PV: Transforming Safety with End-to-end PV Solutions
Moving to unified PV: Transforming Safety with End-to-end PV Solutions
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
NTAP & LSC Tech Survey Highlights
NTAP & LSC Tech Survey HighlightsNTAP & LSC Tech Survey Highlights
NTAP & LSC Tech Survey Highlights
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
ITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORKITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORK
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
AdminStudio Suite Datasheet
AdminStudio Suite DatasheetAdminStudio Suite Datasheet
AdminStudio Suite Datasheet
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 

Similar to #OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Limited

Hybrid Development Webinar - English
Hybrid Development Webinar - EnglishHybrid Development Webinar - English
Hybrid Development Webinar - English
CollabNet
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Enabling Agility Through DevOps
Enabling Agility Through DevOpsEnabling Agility Through DevOps
Enabling Agility Through DevOps
Leland Newsom CSP-SM, SPC5, SDP
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
AWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
AWS May Webinar Series - Industry Trends and Best Practices for Cloud AdoptionAWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
AWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
Amazon Web Services
 

Similar to #OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Limited (20)

10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
10.15.2014 dallas ws_brian_d_dn_live workshop enterpise agility_cust
 
Hybrid Development Webinar - English
Hybrid Development Webinar - EnglishHybrid Development Webinar - English
Hybrid Development Webinar - English
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
DevOps for Enterprise Systems - Rosalind Radcliffe
DevOps for Enterprise Systems - Rosalind RadcliffeDevOps for Enterprise Systems - Rosalind Radcliffe
DevOps for Enterprise Systems - Rosalind Radcliffe
 
Enabling Agility Through DevOps
Enabling Agility Through DevOpsEnabling Agility Through DevOps
Enabling Agility Through DevOps
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Scaling Application Development & Delivery across the Enterprise
Scaling Application Development & Delivery across the EnterpriseScaling Application Development & Delivery across the Enterprise
Scaling Application Development & Delivery across the Enterprise
 
Introduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsIntroduction to 5w’s of DevOps
Introduction to 5w’s of DevOps
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
 
Leveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeployLeveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and Deploy
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
 
Metrics to Power DevOps
Metrics to Power DevOps Metrics to Power DevOps
Metrics to Power DevOps
 
BUDDY White Paper
BUDDY White PaperBUDDY White Paper
BUDDY White Paper
 
AWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
AWS May Webinar Series - Industry Trends and Best Practices for Cloud AdoptionAWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
AWS May Webinar Series - Industry Trends and Best Practices for Cloud Adoption
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Management
 
Apellis Pharmaceuticals Selects a Modern Safety Solution
Apellis Pharmaceuticals Selects a Modern Safety SolutionApellis Pharmaceuticals Selects a Modern Safety Solution
Apellis Pharmaceuticals Selects a Modern Safety Solution
 

More from Paris Open Source Summit

#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
Paris Open Source Summit
 
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
Paris Open Source Summit
 
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
Paris Open Source Summit
 
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
Paris Open Source Summit
 
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
Paris Open Source Summit
 
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
Paris Open Source Summit
 
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
Paris Open Source Summit
 

More from Paris Open Source Summit (20)

#OSSPARIS19 : Control your Embedded Linux remotely by using WebSockets - Gian...
#OSSPARIS19 : Control your Embedded Linux remotely by using WebSockets - Gian...#OSSPARIS19 : Control your Embedded Linux remotely by using WebSockets - Gian...
#OSSPARIS19 : Control your Embedded Linux remotely by using WebSockets - Gian...
 
#OSSPARIS19 : A virtual machine approach for microcontroller programming : th...
#OSSPARIS19 : A virtual machine approach for microcontroller programming : th...#OSSPARIS19 : A virtual machine approach for microcontroller programming : th...
#OSSPARIS19 : A virtual machine approach for microcontroller programming : th...
 
#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...
#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...
#OSSPARIS19 : RIOT: towards open source, secure DevOps on microcontroller-bas...
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
 
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
 
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
#OSSPARIS19 : Detecter des anomalies de séries temporelles à la volée avec Wa...
 
#OSSPARIS19 : Supervision d'objets connectés industriels - Eric DOANE, Zabbix
#OSSPARIS19 : Supervision d'objets connectés industriels - Eric DOANE, Zabbix#OSSPARIS19 : Supervision d'objets connectés industriels - Eric DOANE, Zabbix
#OSSPARIS19 : Supervision d'objets connectés industriels - Eric DOANE, Zabbix
 
#OSSPARIS19: Introduction to scikit-learn - Olivier Grisel, Inria
#OSSPARIS19: Introduction to scikit-learn - Olivier Grisel, Inria#OSSPARIS19: Introduction to scikit-learn - Olivier Grisel, Inria
#OSSPARIS19: Introduction to scikit-learn - Olivier Grisel, Inria
 
#OSSPARIS19 - Fostering disruptive innovation in AI with JEDI - André Loesekr...
#OSSPARIS19 - Fostering disruptive innovation in AI with JEDI - André Loesekr...#OSSPARIS19 - Fostering disruptive innovation in AI with JEDI - André Loesekr...
#OSSPARIS19 - Fostering disruptive innovation in AI with JEDI - André Loesekr...
 
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
#OSSPARIS19 : Comment ONLYOFFICE aide à organiser les travaux de recherches ...
 
#OSSPARIS19 : MDPH : une solution collaborative open source pour l'instructio...
#OSSPARIS19 : MDPH : une solution collaborative open source pour l'instructio...#OSSPARIS19 : MDPH : une solution collaborative open source pour l'instructio...
#OSSPARIS19 : MDPH : une solution collaborative open source pour l'instructio...
 
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
#OSSPARIS19 : Publier du code Open Source dans une banque : Mission impossibl...
 
#OSSPARIS19 : Libre à vous ! Raconter les libertés informatiques à la radio -...
#OSSPARIS19 : Libre à vous ! Raconter les libertés informatiques à la radio -...#OSSPARIS19 : Libre à vous ! Raconter les libertés informatiques à la radio -...
#OSSPARIS19 : Libre à vous ! Raconter les libertés informatiques à la radio -...
 
#OSSPARIS19 - Le logiciel libre : un enjeu politique et social - Etienne Gonn...
#OSSPARIS19 - Le logiciel libre : un enjeu politique et social - Etienne Gonn...#OSSPARIS19 - Le logiciel libre : un enjeu politique et social - Etienne Gonn...
#OSSPARIS19 - Le logiciel libre : un enjeu politique et social - Etienne Gonn...
 
#OSSPARIS19 - Conflits d’intérêt & concurrence : la place de l’éditeur dans l...
#OSSPARIS19 - Conflits d’intérêt & concurrence : la place de l’éditeur dans l...#OSSPARIS19 - Conflits d’intérêt & concurrence : la place de l’éditeur dans l...
#OSSPARIS19 - Conflits d’intérêt & concurrence : la place de l’éditeur dans l...
 
#OSSPARIS19 - Table ronde : souveraineté des données
#OSSPARIS19 - Table ronde : souveraineté des données #OSSPARIS19 - Table ronde : souveraineté des données
#OSSPARIS19 - Table ronde : souveraineté des données
 
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
#OSSPARIS19 - Comment financer un projet de logiciel libre - LUDOVIC DUBOST, ...
 
#OSSPARIS19 - BlueMind v4 : les dessous technologiques de 10 ans de travail p...
#OSSPARIS19 - BlueMind v4 : les dessous technologiques de 10 ans de travail p...#OSSPARIS19 - BlueMind v4 : les dessous technologiques de 10 ans de travail p...
#OSSPARIS19 - BlueMind v4 : les dessous technologiques de 10 ans de travail p...
 
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
#OSSPARIS19 - Tuto de première installation de VITAM, un système d'archivage ...
 
#OSSPARIS19 - Cryptpad : la collaboration chiffrée - LUDOVIC DUBOST, CEO XWik...
#OSSPARIS19 - Cryptpad : la collaboration chiffrée - LUDOVIC DUBOST, CEO XWik...#OSSPARIS19 - Cryptpad : la collaboration chiffrée - LUDOVIC DUBOST, CEO XWik...
#OSSPARIS19 - Cryptpad : la collaboration chiffrée - LUDOVIC DUBOST, CEO XWik...
 

Recently uploaded

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 

Recently uploaded (20)

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 

#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Limited

  • 1. Understanding Open Source Governance Gilles Gravier Director, Senior Advisor – Open Source Strategy Wipro Technologies @gravax
  • 2. $8.1Bn Active global clients* Employee Count* Countries with Employee presence* 1060 57174,850 IT Services Revenue in FY 2018-19 *Figures based on Q1 2019-20 for Global IT Services business 25,000+ open source developers Active participants in 20+ communities and foundations 1000+ global enterprise open source projects Wipro Today
  • 3. Why Do I Need Governance In Open Source? • Get all the benefitsfrom adoption • Innovation • Flexibility • HR • TCO • Addresses core complexities of Open Source adoption • Risk management and mitigation • Security • Licenses • Versioning
  • 4. Open Source evolution • Many organizations early on would not allow Open Source • Developers push to include Open Sourceto drive innovation and improve efficiency • Ops migration to Linux from traditional Unix or Mainframe • Business buy in and adoption of processes to drivestrategy to reduce costand improve time to market No Open Source Developer driven Developer and Ops Driven Governance and Business Driven GenerationI GenerationII GenerationIII GenerationIV
  • 5. • According to the Red Hat Open SourceSurvey therehas been an 69% increasein usage since April of 2018 • Adoption of Open Sourceto supportindustry trends like cloud, serverless and microservices technologies • Even Microsofthas jumped headfirstinto the pool announcing its commitment to Open Sourceand acquiring GitHub • Companies like IBMrecently acquiring Red Hat, Salesforcepurchasing MuleSoft, and others are beginning to narrow the commercialOS vendor field Why Open Source in the Industry 90% 10% Usage Open Source Adopters No Open Source
  • 6. Challenges and Misconceptions in Open Source Adoption – Yesterday and Today • Historically many enterpriseprocesses required strictadherenceto commercially licensed software • Lack of adequately trained resources in Open Source • More tools means moremanagement • Integration with proprietary tools can be difficult • Supportmodel: community vs vendor • Open Sourceprovides instantcostbenefit • Open Sourceis not securebecause it is community driven • Open Sourceis not stable • Licensing is licensing. No differentthan proprietary softwareright? • Commercial is not Open Source • Community vs Commercial vs Proprietary
  • 7. IT Governance • Processes and methodologies to enable an organization’s strategic business goals through defined IT services, softwareand infrastructure. • Reduces potential risks related to lack of policies, processes and standards acrosstheenterprise. ITGovernance Value Delivery Strategic Alignment Performance Management Resource Management Risk and Compliance Management
  • 8. Open Source Considerations • Open source may not be the immediatecost benefit expected • Patches and upgrades are frequent and often faster than proprietary • Lack of properly inventoriedOpen Source toolingacross applications can lead to integration,security, license and maintenanceissues • Vulnerabilitiesare not uniqueto Open Source • Open Source licensing complexitiescan cause major issues if not managed properly • Selecting the best support model depending on availableskillsvs cost of support
  • 9. The Case for Enterprise Open Source Governance • Although there are reportedly 20 main Open Source licenses used by nearly 98% of the Open Sourceand OSI has approved 82 licenses, companies like Black Duck have found as many as 2500 availableon the internet • Company implementations of Brown or Red shiftprojects will continue to see an increasein Open Sourceand Cloud adoption • Often Open Sourcetools are a vastpool of possibilities with variantcommunity involvement • Do you know how many differentgroups areimplementing Open Sourcein your organization? 96% 4% Open Source in the Industry Adopted OS None 2018 Code Base License Conflicts Without Conflict With Conflicts 68%
  • 10. Open Source and Security • Mostvulnerabilities can be found in software, beit proprietary or Open Sourceor customdue to lack of patched software • Community Open Sourceis typically faster to address and release patches than large proprietary software Vulnerabilities One <= None Vulnerabilities in Top 100 Projects One <= None *Blackduck *Whitesoure Vulnerabilities over 10 yrs old 10 years < < 10 Years *Whitesoure
  • 11. Open Source Repository Management • Community vs Commercial versioning • Patches and features notconsidered stable by Supported Commercial Vendor • Productof release cycles in a commercialworld • Governing teams usageof versions to assureissues with stability is key • Manage a set of governancetooling to track versions of all used softwareand licenses to assurestability and compliance • Security vulnerability / CVE tracking and mitigation Licenseand Vulnerability Management Code Repo Deploy andRelease Artifact RepoBuild/Dependency
  • 12. Is your Organization Ready for Open Source ? • Developers often drive the useof Open Source without collaboration or alignment to business strategy • Siloed groups within the organization • Security groups often shut down Open Source without support • Culture ready for change • Existing Governanceprocesses? OS Strategy Culture Governance Community Product
  • 13. Offering Open Source, Protecting Your Offering • You have decided to be an innovatorand offer to the community • Do you throw it out on GitHub and hope for the best? • Open Source doesn’t mean you can’t still have proprietary IP • Open Source IP handled through appropriatelicensing and copyright • Software is generally copyright protected • Licensing gives permission for use and redistributionand controlscontribution • Processes for managing use of code through licensing agreements or auditingGitHub downloads
  • 14. Building a Governance Model OrganizationalStructure 1. Build Business Road-map 2. Determine current Open Source utilization 3. Defined OperationModel 4. Clear Roles and Responsibilitiesfor Stakeholders 5. Defined metrics and KPIs 6. SDLC of services Policies and Standards 1. Defined BestPractices formanaging Open Source 2. DevelopmentStandards 3. Define Team ownership 4. CommunicationPolicies 5. Defined owners of enforcementof policies and standards 6. Change Management Policies 7. Building guidelines for COE 8. Contribution policy 9. Community/ecosystemengagement models
  • 15. Building a Governance Model (cont.) Risk Assessmentand Mitigation plan 1. Assure compliance with state and federalregulations where applicable 2. Defined and implemented InformationSecurity practices 3. Risk Mitigation Strategy clearly defined 4. OS management and framework governance 5. Rollback and failure plan for Automated CICD 6. Defined Continuous monitoring plan for all OpenSource software and hardware 3rd Party Management 1. License management 2. 3rd party audit of internal Open Source components 3. AssessLegalcompliance by Vendors 4. Define processes forupgrades,patches and regular maintenance 5. Supportmodelselectionpolicy
  • 16. Resources Documents 1. 2019 OpenSource Security and RiskAnalysis by Synopsis Cyber Security ResearchCenter and Black Duck 2. The State of Open Source Vulnerabilities Management Report, WhiteSource 3. Gartner and Forresterannual reports on OpenSource Acknowledgements Thank you to the following people forreview and recommendations • Andrew Aitken, GM & Global Open Source Practice Leader • Sreekanth Nyamars, Open Source COE Lead • Eric Tice, Global Open Source SME Lead