Ten Elements of Open Source Governance

Ten Key Elements of Open SourceGovernance in the Enterprise

Webinar on June 17, 2009

Presented by Greg Olson, Senior Partner at Olliance Groupand Kim Weins, Senior Vice President of Marketing at OpenLogic

© Copyright OpenLogic 2009

Ten Elements of Enterprise OSS Governance

1. Open source strategy 2. Open source policy3. Executive sponsorship 4. Buy-in from stakeholders 5. Funding6. Take inventory7. Provisioning8. Requests and approvals9. Auditing10. Reporting

2


Poll Question #1

One a scale of 1-5, how open is your

company towards the use of open source

software (check one)?

1 - No usage of open source allowed - 0%

2 - Open source used only if no other solution exists - 29%

3 - Open source allowed when it is superior to other solutions - 12%

4 - Open source and proprietary solutions have equal footing - 41%

5 - Use of open source preferred when available - 18%

June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies


90%Custom

Development

CommercialSoftwarePackage

CommercialSoftwarePackage

90%Integration

OSS OSS -C o mm e r c ia l OSS

OSS OSSOSS OSS OSS

OSS OSSOSS OSS OSS OSSNegotiate dProcurement

Download

OSS-C o mm e r c ia l

Compelling benefitsFaster path to deployed implementationsLower development and maintenance costs

But… adds complexity to software projectsMany more sources, licenses, compatibility issuesSelf-service updating

The Open Source Revolution

4


Open Source Strategy

Defines why the organization uses OSS and what it hopes to achieveExpressed primarily in high-level business terms (not technical or legal)Key values of developing one:

Develop management consensus on goals and objectivesLine of business managementSoftware developmentLegal

A clear basis for developing the (more detailed) policyA clear statement of rationale to guide future staff in future decisions

5


Open Source Policy

Specifies the rules for how the organization uses OSSTypical elements

Legal PolicyWhat licenses are acceptable for what classes of application?

Acquisition PolicyWhat are criteria for OSS introduction? How documented?Who approves and how managed?

Usage PolicyWhere may what kind of OSS be used in what classes of applications?Where may OSS be modified?

Support Policy What are support requirements for what classes of applications?

Management PolicyHow will OSS be tracked and managed?

Partner Policy How to insure 3rd party suppliers to adhere to the policy, too?

Contribution and Publishing PolicyWhat contributions will be published?How may employees participate in communities?How will this be managed?

6


Executive Sponsorship

Provides the support necessary to get through major challenges

ControversyTrade-offs between benefit and risk

Changes to long-established procurement policies

Changes to long-established development processes

Strongly held beliefs

Budgetary issuesSome additional systems and/or services will be needed

Benefits are typically harder to measure than the costs

Driving the effortChange that crosses several management disciplines tends to bog down

An executive driver is key to completing this evolution

7


Buy-In From Stakeholders

Ensures that those involved in the use open source will adhere to the processes

A policy not consistently followed is worse than no policy –a placebo hiding real risk to the business

Best ways to ensure buy-inExecutive leadership, especially in software developmentMake sure all stakeholders understand the OSS StrategyInvolve the stakeholders in the policy and process development phasesMake sure the process yields quick approvals for mainstream activitiesInvolve the stakeholders in periodic reviews of Policy and Process

8


Poll Question #2

What techniques do you use to track opensource usage in your company (check allthat apply)?

1 - No formal inventory at all - 19%2 - Self-reporting per project - 33%3 - Self-reporting on a global scale - 8%4 - Manual audits of self-reported inventories - 22%5 - Automated code scanning tools - 17%

June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies


Funding

Provides resources for any necessary consulting, software, or hardware solutions

The software may be free, but managing it well requires some investment

Consulting help to develop Strategy, Policy, Process

Code base assessment

Software scanning tools

OSS approval, tracking and management tools

Support and/or indemnification

10


Open Source Inventory

Why?Get an understanding of what OSS you are using on servers and desktops or what OSS is in your applications

When?Baseline: At the beginning of creating or implementing OSS policy and processes

Ongoing: On a regular basis --- quarterly, annually

What?Don’t try to start with every machine everywhere

Start with a representative sample to get a sense of scope of the issue and work thru processes & procedures

Expand over time11


Open Source Inventory

How?Option 1: Self reporting via spreadsheets or surveys

Hard to do, manual

Inaccurate because people don’t know what they are using

Option 2: Scanning systems or applicationsOSS Discovery is a free open source option

Scan servers, desktops or applications

Integrate to sw distribution, asset management or inventory tools

No source code required

Scans find 2-10x what self-reporting does

Start with a group or area, then expand

12


Try the OLEX Library (olex.openlogic.com)Check out Wazi for comparisons

Other sources for researchOhloh – Community data

Osalt – Open source alternatives

Ostatic – media site

Project home pages

13

OSS Provisioning: Research


OpenLogic Certification42-point certification process

ExamineCommunity

Adoption

Legal

Support

Meet minimum bar for enterprise consideration

Your own certificationKey evaluation points – just like for proprietary software

Enterprise Architect recomendations

14

OSS Provisioning: Certification


OLEX (olex.openlogic.com)Trusted source

Certified software

Vetted bits

General repositoriesSoureforge.net, Google Code, java.net, freshmeat, etc

Make sure you have it from an official source

Watch out for unvetted mirrors

Watch out for unvetted Maven repositories

Internal repositoryMaintain internal repository (OLEX EE, your own system, etc)

15

OSS Provisioning: Sourcing


What?Using technology to enforce open source policies

CapabilitiesAllow/prevent downloads per your policy

Track downloads

Require declaration of use at time of download

Require approvals before download

16

Operationalizing Open Source Policies


Why?When the answer to “can I use this OSS?” is “It depends”

When?Prior to download

Prior to use in development, in production or in release

Who is involved?Requestor

Set of approvers (Managers, Legal, EA, OSRB)Sequential or parallel

17

OSS Requests and Approvals


How?Option 1: Manual processes

Email, spreadsheet

Quickly overwhelmed in all but smallest companies

Option 2: OLEX EEProcess automation

Automated workflow for approval

Auto approval and Auto denial rules

Comment tracking

Customized forms and workflows and notifications

Option 3: Homegrown systemBuild and maintain yourself

18

OSS Requests and Approvals


Why?Ensure compliance with policies

Ensure compliance with open source licenses

Protect internal IP (in cases of distribution)

When to audit?At key phases in application lifecycle

Development/Build

Test

Staging

Push to production

On pre-determined audit schedules

Random spot checks

19

OSS Auditing


What to audit for?OSS Projects used

OSS Licenses used

Optional: OSS plagiarism (if distributing software)

How?Compare information from

Policies

Declarations of usage

Requests

Scans

Identify violations

Remediate

20

OSS Auditing


OSS Reporting

OSS Inventories and changes over time

OSS Downloads and Declarations

Request and Approval Status

Policy Compliance and Violations

Application “Bill of Materials” and Bill of Licenses

21

© Copyright OpenLogic 2009 22

OLEX Enterprise Edition:A Complete SaaS Governance Platform

Inventory

PoliciesApprovals

Track & Audit

OpenLogicCertifiedLibrary


Contact Information

For more information, please visit:

www.openlogic.com

www.olliancegroup.com

Or contact us by email at:

[email protected]

[email protected]

23

Technology

Ten Elements of Open Source Governance