Open source software components yield a competitive marketplace advantage. So why do some development teams resist and rebel?
Fernando Cremer, a Customer Success Engineer at Sonatype, works with organizations to optimize their use of open source software. He shows leaders how to champion open source use in production.
He recently shared his perspective at the Nexus User Conference.
To start, Fernando outlines the importance of oss governance. He defines governance as dominion over the libraries, frameworks, and dependencies in components. How an organization tracks component use and policy compliance impacts everything from costs to software security.
A common obstacle is a lack of planning beyond implementation. Fernando points to DJ Schleen’s chapter in Epic Failures in DevSecOps as illustrating a somewhat typical problem: lots of planning to implement open source components, followed by far lesser investment in maintaining systems to support this awesome resource. When developers are disrupted, or their builds are broken without explanation, the pitchforks come out.
How to avoid this? Consider your production process. Fernando outlines the software production stages:
Looking at this process, leadership must excel in three distinct areas to unleash the most productive software development.
#1 Communication Prowess: Communicate Regularly
Communication is key. Disruption and disillusionment come from a lack of clarity. Identify what your organization is trying to achieve and what is at stake. Invite stakeholders to the table to develop the process.
Support adoption by setting up a wiki that everyone can access. Include:
Set expectations early and communicate regularly. For example, who can fail a build? When should the team be notified? Earlier notifications give developers more time to research, fix, or request waivers. Communicate the resolution process, too. All of this should be documented in the wiki.
Ideally, says Fernando, “waivers should be the exception, not the expectation.”
#2 Clearly Define Steps: Present Actionable Findings
As Helen Beale of Ranger4 reminds us, our brain biology influences how we prioritize information. Too much information -- from a component scan with too many false positives -- promotes tool apathy, not action.
Define your organization’s threat threshold. For example, “don’t use any components Nexus Firewall flags with red or orange violations.” Communicate default actions to take, too. For example, “fix everything but blue items”. This limits action to mandatory issues. This, in turn, works down technical debt.
#3 Build an Organizational Philosophy (DevOps Culture)
“Last, but definitely not least,” says Fernando, “is culture.” Be honest about how your organization operates. Is it “scan and scold,” waiting until the end to fix problems? Or is it more a more proactive “support and guide” approach?
Work to create a “support and guide” culture. Core tenants include:
The goal should be to develop a single, flexible framework. As our CEO Wayne Jackson said at the Nexus User Conference keynote: there’s no need, and is likely counterproductive, to have more than one operational framework.
Finally, a bonus recommendation: Automate Where Appropriate. Don’t become the bottleneck in your organization. Prevent long wait times. Otherwise, out of necessity, developers will work around the process to deliver software.
When everyone on the team knows the expectations and the processes, managing open source software components is not disruptive. In fact, it will make your development process more resilient and robust.
Fernando and his team regularly conduct training workshops. If you need to integrate open source components, get in touch. Watch his full talk here.
Register for our free upcoming webinar, Software Composition Analysis on Tuesday, August 13th at noon EST.