How to Become an OSS Champion

Open source software components yield a competitive marketplace advantage. So why do some development teams resist and rebel?

Fernando Cremer, a Customer Success Engineer at Sonatype, works with organizations to optimize their use of open source software. He shows leaders how to champion open source use in production.

He recently shared his perspective at the Nexus User Conference.

To start, Fernando outlines the importance of oss governance. He defines governance as dominion over the libraries, frameworks, and dependencies in components. How an organization tracks component use and policy compliance impacts everything from costs to software security.

A common obstacle is a lack of planning beyond implementation. Fernando points to DJ Schleen’s chapter in Epic Failures in DevSecOps as illustrating a somewhat typical problem: lots of planning to implement open source components, followed by far lesser investment in maintaining systems to support this awesome resource. When developers are disrupted, or their builds are broken without explanation, the pitchforks come out.

How to avoid this? Consider your production process. Fernando outlines the software production stages:

  • Discovery – how does our team build/deploy/write software?
  • Inventory – how many applications/dependencies are there? What is the overall scope? (“Nobody ever knows,” says Fernando. This common pitfall is fixed once a full inventory is performed and automated systems are put in place.)
  • Policy – what is the organization’s policy for oss components? Notably: who is the person signing off and accepting the risk?
  • Mitigation – what are the organization’s plans to address policy violations?
  • Enforcement – how will the organization tackle ongoing review?

Looking at this process, leadership must excel in three distinct areas to unleash the most productive software development.

#1 Communication Prowess: Communicate Regularly

Communication is key. Disruption and disillusionment come from a lack of clarity. Identify what your organization is trying (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: