How to Start an Open Source Program Office

By Martin CallinanBlog
OSPO

Table of Contents

  • Introduction
  • Starting an OSPO
  • Educating the employees and assigning responsibilities
  • Contributing the code
  • OSPO: a central entity for compliance needs
  • The upward trend and establishment of OSPO in various organisations
  • What is the future of OSPO?

Introduction

Enterprises building modern solutions are dependent on open source software to build their applications. The developers knowingly or sometimes unknowingly leverage open source components and libraries to solve technical challenges efficiently without re-inventing the wheel. This way open source enters the software supply chain.

Since these open source libraries are governed by licenses, compliance to these licenses becomes an obligation of the organisation using the libraries. Non-compliance with open source licenses can bring legal risk and potentially impact on the value of IP being created. Challenges related to compliance to open source licenses can create negative press coverage resulting in a negative impact on brand value. Moreover, unmanaged open source components like outdated versions or unknown license can introduce security vulnerabilities into the code which could be later exploited when the software is used by end customers.

To maximize the benefits of using open source while minimizing the potential risk and to educate the employees regarding risks and obligations associated with open source licenses is the job of an OSPO (Open Source Program Office).

Starting an OSPO

An OSPO (Open Source Program Office) operates as an in-house entity within the company or possibly outsourced to a third party service provider to create a program to support developers and related staff in the use of open source software in development to ensure risk IP and security risk is minimised while reaping the benefits of using open source software components and libraries for efficient software development

The OSPO creates a company-wide policy that regulates the use of open source software within an organisation.  It educates and trains the employees about their roles and responsibilities around how to use open source in a way that  reduces time to market in delivering software projects while also minimizing the risk associated with its use

Managing the use of open source and decreasing the compliance risks are important elements for the success of any product. An OSPO aligns the efforts of all relevant teams involved in building products and helps increase the organisations capacity for better and effective use of open source.

Educating Employees and Assigning Responsibilities

Delivering a product on short notice often puts developers in a tight spot to meet deadlines. This often results in an oversight of the complexity and risk associated with incorporating various open source components into your codebase. The level of risk is increased when the version control of third-party components and libraries, is not diligent.

Developers are likely to be the first ones to interact with open source packages and projects.

To avoid onboarding any open source component that may increase security or legal risk, training should be delivered to programmers.

An OSPO may curate the training program. This may include explaining the implications imposed by various open source licenses and the outline of an approval procedure for new open source libraries and licenses. Another thing to consider is maintaining a software bill of materials (SBOM).

Producing an SBOM early in the development cycle makes it easy for the OSPO to evaluate the open source components   used in development. The OSPO can then make remediations for any issues or concerns that arise.

“Many developers who are not educated in open source think that because they are not purchasing software, there is no license involved because they didn’t sign a contract,” said Suzanne Ambiel, director of open source marketing and strategy at VMware

OSPO may be formed by following or more people within the organisation:

(Note: This is a non-exhaustive list of people who can be a part of OSPO. The  requirements are entirely dependent on your organisation’s needs)

  • Principal/Chief- This role can be a representative of OSPO and work as a front face. The chief may be the one who knows the different aspects regarding open source like effects of using different components, license implications, contributing to the open source projects.
  • Program manager-The Program Manager sets the requirement and objective for the target solution. He /she works alongside product and engineering team to connect workflows which includes ensuring that policies and tools are implemented in a developer-friendly manner
  • Legal support – Legal support can be outside the firm or in-house. Legal support is an important part of OSPO. The legal role works closely with the Program Manager to define policies that govern open source use, including which open source licenses are allowed for each company product, defining strategies around contributing to existing open source projects
  • Product and engineering team/developers-The engineering team should be thorough with open source license(s) and their associate risks. The team must seek approval from OSPO before pulling in any open source component. The team may have to undergo trainings regarding open source compliance basics and its usage at regular intervals
  • Stakeholders – Company’s leadership has a huge impact on the OSPO strategies. The stakeholders hold a great say in decision-making process for any product/solution’s delivery. The VP of Engineering, CTO/CIO, or Chief Compliance/Risk Officer are important candidates to get involved in OSPO
  • IT team – From DevOps to Security, having support from the IT department is key. An OSPO may be tasked with implementing internal tools to improve developer efficiency, monitor open source compliance, or dictate open source security measures. IT is key in helping to connect workflows, and ensure policies are implemented in a developer-friendly manner

 Contributing Code

It is beneficial for an organisation to allow developers to contribute to open source projects. These include: strengthening your developer’s skills, keeping up to date with trending open source projects, retention of staff, attracting developers to work for the organisation and raising the profile of the company. However, organisations often have limited processes in place for full time employees (FTE) and contractors who contribute to open source projects.

Many open source projects require developers to sign a Contributor License Agreement (CLA) which typically assigns ownership of any IP created by the employees to their employer.

Building a process for your engineering team to contribute to current open source projects may include designing legal policies around copyright and intellectual property that dictate all essential steps that needs to be taken before your engineers can contribute to existing open source projects.

Using open source components in adherence with their respective licenses not only ensures that your company is in good standing with the open source community but also helps elevate your brand reputation. OSPO can also manage the company’s growth in the market by actively engaging in events, conducting webinars and interactive campaigns.

OSPO: A Central Entity For Compliance Needs

OSPO may function differently in every organisation depending on the number of employees and the number of people that are part of the OSPO team. Another factor that is subjective to organisations is their purpose of using open source. Sometimes an organisation is using open source solely for building the product and in other case they might be interested in building and growing their participation in the open source community by contributing code to open source projects.

Some of the core functions of an OSPO involve:

 Setting an open source compliance and governance policy in place to mitigate intellectual property risks to the organisation

  • Educating developers on better decision-making. This can be done by timely trainings and updating developers regarding the legal aspect of open source licenses
  • Monitoring the usage of open source software inside as well as outside the organisation
  • Conducting meetings after every software release to discuss what went well and what could be done better with the OSS compliance process
  • Defining policies that lay out the requirements and rules for working with open source across the company
  • Encouraging the members to contribute upstream to gain the collaborative and innovative benefits of open source project
  • Producing SBOM with suitable remediation and recommendations for the product team
  • Preparing compliance artifacts and ensuring that all license obligations are fulfilled

The Upward Trend and Establishment of OSPO in Various Organisations

OSPO Adoption
Source: https://github.com/todogroup/osposurvey/tree/master/2021

In a survey conducted by TODO OSPO group 2021, the results about the survey were as follows:

  • The findings indicated there are many opportunities ahead to educate companies about how OSPOs can benefit them
  • OSPOs had a positive impact on their sponsor’s software practices, but their benefits differed depending on the size of an organisation.
  • Companies that intended to start an OSPO hoped it would increase innovation, but setting a strategy and a budget remained top challenges to their goals.
  • Almost half of survey participants without an OSPO believed it would help their company, but of those that didn’t think it would help, 35% said they haven’t even considered it.
  • 27% of survey participants said a company’s open source participation is at least very influential in their organisation’s buying decisions.

OSPO culture has not only been adopted in technology or software building enterprises but other industries are also widely using open source and thus establishing OSPO as part of their governance programs. Companies like Microsoft, Google, Netflix, GitHub have well established OSPOs within their organisations.

Apart from these some other industry leaders have also set up OSPO in their work environments:

Bloomberg, a global business, financial information and news leader began its OSPO journey in 2012, when engineering leadership realised that the engineering team is consuming open source software at a large scale. With time, Bloomberg’s OSPO evolved by not only promoting community participation, but also by providing necessary guidance and support to teams thinking about launching open source projects.

Comcast which is a global media and technology company began its involvement in open source 2006.Nithya Ruff, who is a former head of open source at Comcast says “The company wanted to make sure that we had a single place which would drive open source engagement and compliance across the organization. The job description of the OSPO at Comcast needed to be broader than compliance and needed to include continued fostering of code contributions back to the community. “

Salesforce is a Software-as-a-service platform, and it does not release the end customer products that it sells as open source. Instead, the engineering team focuses on open sourcing shared infrastructure components, libraries, and tools that other companies might find generally useful and can benefit their customers.

Open source is a window for (external developers) to see the great engineering that’s going on inside of the company that they otherwise wouldn’t be able to.” – Ian Varley, Software Architect at Salesforce.

  

What Is The Future Of OSPO?

The role an OSPO can play in strategically streamlining the compliance and contribution process for open source software is increasing the adoption of this team across many industries. Since open source software is very much part of the modern supply chain , the security risk and non-adherence with open source licenses cannot be overlooked.

An OSPO may work as an internal consultancy for its employees by providing sufficient resources and guidelines regarding any open source query. By putting OSPO in place employees will have a central entity that can be their go to place for any queries related to open source usage. OSPO can also work as guide to fetch top talent from the industry which will eventually be a boon for the business goals.

As of lately OSPO is making its mark through not only technology but other industry sectors like finance, banking, communication etc. Organisations are funding and expanding their OSPO teams to set up operations that will govern their strategic policies, provide recommendations to solve compliance issues, assist developers to help bring higher efficiency and innovation in building the modern software applications without having to worry about the compliance risk.

For training in creating an OSPO visit our training portal 

An overview of the course “Get it Right With Open Source Program office is below.

One thought on “How to Start an Open Source Program Office

  1. Pingback: How to Start an Open Source Program Office (OSPO) – Consulting Services | Source Collective

Leave a Reply

Your email address will not be published. Required fields are marked *