Driving Organizational
Change and Value with
Open Source

Driving Organizational
Change and Value with
Open Source

The Yin and Yang of OSS Consumption and Contribution
Zen and the Art of
Organizational Open Source
Paula Paul

4
Cody Zuschlag
codyzus
Staff Developer Relations Engineer @NearForm
Instructor @ Université Savoie Mont Blanc
France

5
Paula Paul
paulapaultweets
Field CTO of DX @NearForm
Board Member OpenJS Foundation
Open Source Day Committee Grace Hopper
Celebration
Many other shenanigans…
At large…

6
Minimize effort
Maximize value
It takes practice!
The Zen
of
Open Source
Consume
Contribute

7
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Practice & Automation for
min effort / max value

Awareness

Why should
organizations care
about open source?

10
It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of
any given piece of modern software solutions.
From: A Summary of Census II: Open Source Software Application Libraries the World Depends On
The World Runs on Open Source

11

12
From: From: Measuring
the Economic Value of
Open Source
How much value do you realize? Do you want more?

Why Now?

14
The Open Source Landscape is Evolving (rapidly!)
Build-vs-Buy
becomes Compose-
vs-Buy
Invest in People vs
Maintenance fees
for COTS or SaaS
Recruiting/Retention
Time to Market
Innovation
Differentiation
Strategic Control
OSS is accelerating
Value is accelerating
OSS Solutions
Viable solutions to
replace SaaS & COTS

15
Optimize consumption
& contribution to
maximize value
Where is your sweet spot?
Create

16
What is your Zen?
● Attracting & retaining talent
● Innovation
● Lower maintenance costs
○ Reduce/avoid fees
○ Impact feature roadmap, TTM
● Improve dev ex (internal & external)
● Brand recognition
● Reinforce corporate goals & values
○ Sustainability
○ Community

17
Reaching Zen in OSS
5. Enlightenment
4. Acceptance
3. Bargaining
2. Fear
1. Denial
Awareness
Safe Consumption
Strategic
Contribution

18
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Repeated Practice &
Automation to minimize effort

Safe Consumption
Consume
Contribute

20
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
The OSS security landscape has changed rapidly

21
Understand Threats, Embrace Threat Modeling

22
From: Dependency Confusion and Substitution Attacks
Understand your dependencies & supply chain

23
From OWASP.org: DevSecOps Guideline - v-0.2
Fortunately, automation and tooling has kept up
● Software Bill of Materials (know and audit your dependencies)
○ awesomeSBOM
● Automated dependency updates
○ Dependabot
● FOSS SAST/DAST
○ OWASP Top Ten
○ Bearer
○ Is My Node Vulnerable?
○ Mend.io OSS Tools
○ Synk Open Source
○ Socket
Please Lint for Secrets!

24
Start Small: OSPO Working Group
Getting Started
● Identify Executive Sponsor
● Define simple Ways of Working for the OSPO WG / OSS ‘practice’
○ Use GitHub! (like the Linux Foundation)
○ Adopt ADRs! (we can help)
● Identify Strategic OSS Dependencies
○ E.g. Node, React… (start with a small number then expand)
● Identify target versions for Strategic OSS Dependencies, adopt SBOMs
○ Automate SBOMs and conformance checking (e.g. Linting, CLOMon)
● Set goals for OSS Policy, automate metrics and conformance
○ Contribution to projects you consume (employee agreements, CLAs, Legal)
○ Contributing your projects (licensing, hosting, sponsorship, accountability)
○ Time allocated for all employees to learn, participate, and contribute to OSS

25
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
Start Small: OSPO Working Group
Practice, learn, and evolve over time, to:
○ Expand the footprint of technologies under the OSPO
○ Create additional automation and conformance checks
○ Sponsor internal Hackathons and OSS Innovation Labs
○ Own and sponsor public facing OSS assets
■ OSS Projects, NPM Registries, GitHub Organizations
○ Participate in public OSS Working Groups and Hackathons
■ OpenJSF / OpenSSF / FINOS / Green Software Foundation
■ Linux Foundation Public Health
■ Grace Hopper Open Source Day!
○ Build community, contribute to recruiting & retention through OSS

26
OSS is a Practice!
Balance -
- Safe Consumption
- Strategic Contribution
(not just one or the other)
Consume
Contribute

27
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Repeated Practice &
Automation to minimize effort

Strategic Contribution
Consume
Contribute

29
Lessons from the field
1. Publishing new projects
○ If you build it, they may not come…
○ All this work for such a small package!
2. Contributing to existing projects
○ Avoid dual maintenance (inner/OSS)
○ Ownership and IP
○ Harnessing Community as an
extension of your Engineering team

30
Starting Small
● Pick a small project
○ Solve an issue for your team!
○ Create a better mousetrap :)
● Avoid huge investments of time & $
● Automate OSS best practices
○ Get to know the TODO Group
○ Repolinter - OSS best practices
● Become familiar with CLOMon
● Consider Backstage for Governance

31
CLOMon, from CNCF - Open Source Health Dashboard
OSS Health - CLOMon, brand as your OSS dashboard

32
OSPO
OSS Policies / Open Source Days
OSS Developer Experience and Governance

33
Spotify Backstage (OSS) - Engineering Governance

34
Having multiple models for these different
cases that are then combined to form final
customer predictions allows us to account
for these differences.
Open Source Innovation is part
of the NearForm Identity
It is who we are.
People
● Recruiting: We can leverage
open source activities/thought
leadership to attract talent.
● Retention: We can give people
opportunities to ‘do the fun
work’ in open source as part of
our Open Source Policy.
● Training and upskilling: The DX
team is able to pair with core
delivery engineers to upskill and
train them on strategic tech and
how to engage in Open Source.
Brand and Visibility
● The DX team are technology
‘influencers’ via social media,
conference presentations, VLogs,
Twitch live coding, and more.
● OSPO tracks strategic OSS projects for
visibility and contribution.
● The DX team provides service
offerings.
● The DX team incubates new service
offerings based on Open Source
innovation (e.g. Lyra/Orama).
DX-OSS at NearForm
Open Source Leadership and Innovation
● OSPO and OSS Policy.
● Visible participation in Open Source
committees & working groups, with
related content.
● Based on input form working groups
and from core delivery, produce
working code that demonstrates
thought leadership and innovation.
● Offer Open Source Program Office and
Innovation Lab creation services to
clients to ignite innovation and
excitement in their technology teams.

OSS at NearForm
We work directly with the Open Source Security
Foundation to ensure the security of the JS
ecosystem
We are co-chairing Open Source Day with the
Grace Hopper Celebration to promote diversity &
inclusion in OSS
Our DX team includes one member of the Node
Technology Steering Committee, and three Node
Core Contributors
We sit on the board of the OpenJS Foundation,
and participate as Associate Members of FINOS
(Financial Services Open Source)
LF Public Health showcases our work on the
COVID App
We are contributing to the FINOS Accessibility
Hackathon to improve end to end accessibility
through Open Source

Where to start?
Consume
Contribute

Where are we?
Are there areas for growth?

38
Denial
● “We don’t do OSS”
● All closed source, commercially
licensed software
● OSS prohibition - fears about
security and supply chain

39
Fear
● Tightly controlled supply chain
● Devs struggle to be productive
○ shadow IT

40
Bargaining
● Open supply chain
● Devs contribute only to
controlled supply chain
● No contributions to public OSS
projects
● “InnerSource” vs Open Source
● No OSS Policy

41
Acceptance
● Developers empowered to use
and contribute to OSS
● Adhoc non-optimized
community contributions
● Part of OSS ecosystem, but
not organized initiative
● Discussions of OSPO & Policy

42
Enlightenment
● Strategic OSS dependencies
known and leveraged for value
● OSS drives innovation,
engagement, growth, & retention
● Measuring contributions & ROI
○ Org & community
● OSPO and OSS policy
○ Automated conformance
○ Education on legal aspects
○ Time for contribution
○ OSS Health Dashboard
● Actively participate in OSS
foundations/standards groups

43
Your OSS Practice
● Areas for growth?
○ Awareness?
○ Safe Consumption?
○ Strategic Contribution?
● What are your goals?
○ Reduce COTS/SaaS Cost?
○ Understand OSS alternatives?
● Innovation & differentiation
○ OSS for competitive advantage
○ OSS to differentiate
○ OSS to innovate

Where to Start?
Consume
Contribute

45
Effort vs Value
What are your goals?
- Safe Consumption & Supply Chain?
- Recruiting & Retention?
- Developer Experience? Community?
- Time to Market?
- Reduced COTS & SaaS Cost?

46
Measure & Automate
Start Small - one exercise at a time
- Awareness
- OSS as part of onboarding
- Simple OSS Policy
- Education, time, metrics
- Safe Consumption
- Identify critical dependencies
- Keep dependencies current
- Supply chain automation
- Strategic Contribution
- Solve a business need
- Publish your first project, learn

47
Consume
Contribute
Minimize effort
Maximize OSS value
Balanced Practice

48
nearform.com
WE’RE BOLD
WE’RE FLEXIBLE
WE’RE OPEN
WE’RE EMPOWERING
follow us on
Major Contributors to the
Open Source Web Platform
Represents modules used globally
8%
NPM monthly downloads
1B
Global Delivery and OSS Innovation

49
Questions?