Innersource, OSPOs, and a move toward a more strategic use of open source

By Javier Perez, Perforce.

  • 1 year ago Posted in

Use of open source software in organisations is growing significantly. The recent 2023 State of Open Source report found that 80% of respondents to its global survey, across all industries and organisation sizes, increased the use of open source software over the last 12 months.

It is now beyond doubt that open source software will continue to expand and, since open source software is ubiquitous, organisations are changing software development practices, and  use open source software in a more strategic way.

For example, many organisations are evolving from just being open source consumers to open source community members and, in some cases, the leaders driving and influencing the direction of open source projects. Level of maturity is what differentiates organisations that take a more structured approach, placing open source at the core of their technology strategy, from those that have not moved in that direction.

 

Open Source Program Office (OSPO)

There are literally millions of open source libraries and components. Over the years, organisations had to define processes and guidance on how to adopt, consume, and commercialise software that is heavily based on open source software. Formally and informally, they have created groups to drive these processes, with different types of Open Source Program Offices (OSPOs) that oversee the governance of the use and generation of open source software.

OSPOs typically start by addressing open source license compliance, because commercial software is going to have open source components and organisations need to know the terms and potential restrictions in the different open source licenses. For example, the family of GPL licenses are restrictive and require releasing code under the same copyleft license terms in order to distribute and modify code. If not addressed properly, this could lead to legal disputes so it is important for organisations to have a team or OSPO overseing the license compliance function.

With larger teams and more maturity in the use of open source, OSPOs also educate engineering and development teams about open source software, advocating for best practices, sharing tools, participating in open source projects and communities, as well as sponsoring projects. This approach benefits both organisations and developers.

Also, organisations mature in the use of open source software with well-managed OSPOs to make open source part of their technology strategy. This means that there is clear guidance and direction toward the use of key open source technologies and about engaging with open source communities. These organisations realise that the rapid advancement of the latest technologies requires skills, experience, and proficiency.

Since they rely on open source software, organisations have three options to achieve those requirements: one, hire or train their own developers; two, receive external technical support for their different key open source technologies; and three, drive investment of time and resources in those key open source projects and communities while their developers become experts in the technology and have a chance to influence the direction of those open source projects. Most organisations do the first two — hire, train, and receive external technical support — while the more strategic ones also engage with open source communities.

 

Innersource

The 2023 State of Open Source Report cites the lack of experience and proficiency as one of the top three support challenges in the use of open source software. Another alternative to train developers while keeping software development internal is the implementation of Innersource projects, which can be driven by the OSPO or formed independently.

Inner sourcing refers to the application of the open source practices of project participation and collaboration in the development of software inside the organisation. The goal is to make the projects open to anyone within the organisation, which could be across different groups or brands incubating projects in the same way open source communities operate. This allows devleopers and projects to benefit from cross-functional expertise.

The adoption of inner sourcing is growing fast, which makes sense as long as developers and non-developers are granted enough time to contribute to those projects. When executed well, inner sourcing promotes collaboration, helps participants gain expertise, and reduces siloed development in organisations of all sizes.

Just like any other software project, innersource projects use many open source software components that require expertise and external technical support. In some cases, innersource projects are considered a first step, an incubated project before all or parts of it become open source software.

 

Final thoughts

There are more benefits from having both OSPOs and Innersource. Open source security scans, generation of software bill of materials (SBOMs), and other items are also part of the scope of OSPOs and Innersource.

 

Organisations that recognise the value of open source software and the need for compliance and expertise are adopting both OSPOs and Innersource projects. Not to be forgotten is the educational value of these initiatives, incentivising developers to continue working with the latest open source technologies, and continue learning and writing more and better code. For once, the future is predictable: there will be more open source and more maturity in its use, so for organisations not already doing so, starting to take a more strategic approach now is a wise investment.

https://www.openlogic.com/resources/2023-state-open-source-report 

By Frank Catucci, CTO and Head of Security Research, Invicti Security.
By Tom Printy, Advanced Design & Development Engineer, Zebra Technologies.
By Iain Sinnott, Head of International Carrier Sales, Enreach for Service Providers.
By Hope Lynch, Senior Director, Platform, CloudBees.
By Massimo Bandinelli, Aruba Cloud Marketing Manager.
By Paul Baird, Chief Technical Security Officer EMEA, Qualys.