ESTABLISHING ANESTABLISHING AN
PROGRAM OFFICEPROGRAM OFFICE
October 2018
Lee Calcote
calcotestudios.com/talks
OPEN SOURCEOPEN SOURCE

@lcalcote
CREATING AN OSPOCREATING AN OSPO

“There isn’t a one size fits all model. I can’t stand up in
front of a crowd and say, ’this is how you should do it,‘”
– , director of .Jeff McAffer Open Source Programs Office at Microsoft
@lcalcoteAnd neither am I... this is how you "might" do it.
CREATING AN OSPOCREATING AN OSPO

LEE CALCOTELEE CALCOTE
linkedin.com/in/leecalcote
@lcalcote
gingergeek.com
lee@calcotestudios.com
clouds, containers, functions,
applications, and their management
calcotestudios.com/talks
github.com/leecalcote

NOW AVAILABLENOW AVAILABLE
compliments of NGINX
gingergeek.com

WHY CREATE ANWHY CREATE AN OPEN SOURCEOPEN SOURCE
PROGRAM OFFICEPROGRAM OFFICE??

That's great.

That's great. But, why?

The Philadelphia Open Source Conference aims to connect open source
developers, leaders, technologists, and community leaders to collaborate on the
latest in open source innovation. It’s an environment for cross-collaboration
between developers, operators, architects, leaders and others who are driving the
technology forward.
That's great. But, why?

PROMINENCE OF OPEN SOURCEPROMINENCE OF OPEN SOURCE
@lcalcoteall major areas of software innovation are happening in open source
WORLDWORLD

PROMINENCE OF OPEN SOURCEPROMINENCE OF OPEN SOURCE
@lcalcoteall major areas of software innovation are happening in open source
SOFTWARESOFTWARE
WORLDWORLD

PROMINENCE OF OPEN SOURCEPROMINENCE OF OPEN SOURCE
@lcalcoteall major areas of software innovation are happening in open source
SOFTWARESOFTWARE
OPEN SOURCEOPEN SOURCE
WORLDWORLD
™

PROMINENCE OF OPEN SOURCEPROMINENCE OF OPEN SOURCE
@lcalcoteall major areas of software innovation are happening in open source
SOFTWARESOFTWARE
OPEN SOURCEOPEN SOURCE
CLOUDCLOUD
WORLDWORLD
™

TOPTOP
BENEFITSBENEFITS
1. Awareness
2. Influence
3. Compliance
4. Development velocity
@lcalcote

TOPTOP
BENEFITSBENEFITS
1. Awareness
2. Influence
3. Compliance
4. Development velocity
@lcalcoteThose without an OSPO want to attract talent. Those with an existing OSPO already have talent.

OPEN SOURCE PROGRAMOPEN SOURCE PROGRAM
OFFICEOFFICE STRATEGYSTRATEGY

Calcote's 5 C's
@lcalcote
{{ }}
to open source strategy...

Calcote's 5 C's
@lcalcotea well-rounded open source strategy incorporates these 5 C's
...include not only consuming open source
software and complying with licensing, but
also participating in community, giving and
receiving contributions as well as actively
assuaging the competitive nature of popular
projects.
{{ }}
to open source strategy...

@lcalcote
PATH TO MASTERING OPEN SOURCEPATH TO MASTERING OPEN SOURCE
From bottom to top

@lcalcote
CONTINUAL INGESTING OF SOFTWARE FROMCONTINUAL INGESTING OF SOFTWARE FROM
MULTIPLE SOURCESMULTIPLE SOURCES

@lcalcote
CONTINUAL INGESTING OF SOFTWARE FROMCONTINUAL INGESTING OF SOFTWARE FROM
MULTIPLE SOURCESMULTIPLE SOURCES
Today's software products average 60% to 80% open source in their code.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote
Faster - speed up the delivery of software solutions.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-
house development.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-
house development.
Flexibility - with source code in-hand, you can make needed
modifications and licensing flexibility can allow changes to the code
and deployment strategies without impediment.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-
house development.
Flexibility - with source code in-hand, you can make needed
modifications and licensing flexibility can allow changes to the code
and deployment strategies without impediment.
Innovation - often the leading edge of development comes from
Open Source communities.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcote
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-
house development.
Flexibility - with source code in-hand, you can make needed
modifications and licensing flexibility can allow changes to the code
and deployment strategies without impediment.
Innovation - often the leading edge of development comes from
Open Source communities.
Influence - within a project; across related projects.

CONSUMPTIONCONSUMPTION
WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?WHY DO COMPANIES USE OPEN SOURCE SOFTWARE?
THERE ARE MANY COMPELLING REASONS FORTHERE ARE MANY COMPELLING REASONS FOR
USING OPEN SOURCE:USING OPEN SOURCE:
@lcalcoteAll of these reasons add up to a competitive advantage for organizations for using OSS.
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-
house development.
Flexibility - with source code in-hand, you can make needed
modifications and licensing flexibility can allow changes to the code
and deployment strategies without impediment.
Innovation - often the leading edge of development comes from
Open Source communities.
Influence - within a project; across related projects.
Talent - both attraction and retention.

SOLID COMPLIANCE TOOLING ANDSOLID COMPLIANCE TOOLING AND
PROCESS IS KEY TO REDUCING RISK:PROCESS IS KEY TO REDUCING RISK:
@lcalcoteWhy should I comply with licenses?
COMPLIANCECOMPLIANCE
Source: https://www.linuxfoundation.org/blog/2016/12/open-source-compliance-in-the-enterprise-benefits-and-risks/
Legal injunction that prevents shipping product.
Customer service headaches.
Loss of Intellectual Property.
Engineering rework.
Punitive damages.
Embarrassment.

COMPLIANCE GOALSCOMPLIANCE GOALS
1. Shipped products and delivered services have
secure and approved open source
components and licenses.
2. Ensure license requirements are upheld.
1. Notices and attribution within and outside of code.
3. Vulnerabilities are tracked and remediations
incorporated.
4. Redistribution of source code as appropriate.
@lcalcote2 C's deep. Quit here?

COMPLIANCE GOALSCOMPLIANCE GOALS
1. Shipped products and delivered services have
secure and approved open source
components and licenses.
2. Ensure license requirements are upheld.
1. Notices and attribution within and outside of code.
3. Vulnerabilities are tracked and remediations
incorporated.
4. Redistribution of source code as appropriate.
PROCESS GOALSPROCESS GOALS
1. Outline, agree to and educate on OSS review
process.
2. Acknowledge on-prem and SaaS has different
needs.
1. Hold each to same rigor and process, augmenting tooling as
needed.
3. Empower engineering teams to self-service as
much as possible.
4. Account for multi-source development model.
1. Enable and streamline continuous execution.
@lcalcote2 C's deep. Quit here?

INNER SOURCINGINNER SOURCING
INNER SOURCING BEFORE OR AFTER OPEN SOURCING?INNER SOURCING BEFORE OR AFTER OPEN SOURCING?
@lcalcoteIs this step necessary for your organization?
Establish open source-like culture within org.
More efficient development; standardize tools.
Overcoming organizational unit boundaries.
Promote reuse and avoid not-invented here complex.
More flexible utilization of developers.
LEVERAGE THE BENEFITS OF OPEN SOURCE DEVELOPMENTLEVERAGE THE BENEFITS OF OPEN SOURCE DEVELOPMENT
METHODOLOGIES INTERNALLYMETHODOLOGIES INTERNALLY

@lcalcoteHow do I give and receive?
CONTRIBUTIONCONTRIBUTION
INBOUND AND OUTBOUNDINBOUND AND OUTBOUND
Need to:
Qualify loss of IP.
Have a Contribution License Agreement (CLA)
As an individual or an organization?
Provide contribution guidelines.
Define project governance.

COMMUNITYCOMMUNITY
PURPOSEFUL ENGAGEMENT KEY TOPURPOSEFUL ENGAGEMENT KEY TO
GAINING MOMENTUMGAINING MOMENTUM
Formulate—and communicate—your end-user and
developer community support strategies and
guidelines.
Anyone in your company who wants to start or
participate in an existing project should understand
what a well-run community looks like.
@lcalcoteSupport, governance, velocity are all measures used to decide whether to use open source software.

COMPETECOMPETE
Race
Deeper
Broader
COMPLEMENTCOMPLEMENT
Integrations
Ingestion
Support, Interoperability
@lcalcoteDisplace or complement?
COMPETITIONCOMPETITION
ASSUAGE COMPETITIVE NATURE?
COMPETE OUTRIGHT?

THE ROLE OF AN OSPOTHE ROLE OF AN OSPO

THE ROLE OF AN OSPOTHE ROLE OF AN OSPO
the center of the universe for a company’s
open source operations and structure

THE ROLE OF AN OSPOTHE ROLE OF AN OSPO
MUCHTOENCOMPASSMUCHTOENCOMPASS

BUSINESS ALIGNMENTBUSINESS ALIGNMENT
Without the right legal counsel, an open source program office can end
up placing undue risk on company management. They can also stifle
innovation, so strike the right balance.
Align with product strategy. If your open source program office is not
helping your product strategy, then it's probably a wasted effort.

WHERETOLANDONEWHERETOLANDONE
Engineering Legal
Program
Management
Corp Dev
Talent
Acquisition
Marketing
IT Documentation Procurement
@lcalcote

WHERETOLANDONEWHERETOLANDONE
Engineering Legal
Program
Management
Corp Dev
Talent
Acquisition
Marketing
IT Documentation Procurement
@lcalcoteHow centric to your business is OSS?

CROSS-FUNCTIONAL RESPONSIBILITIESCROSS-FUNCTIONAL RESPONSIBILITIES
Open Source Executive Committee
Review and approve proposals to release IP / proprietary source code under OSS license.
Review and approve proposals to use non-approved license types.
Open Source Program Office (Review Board)
Drive all activities surrounding the 5'Cs.
Provide guidance on open source questions coming from company staff and engineers.
Develop community involvement policy, process, procedures, and guidelines.
Coordinate source code scans, audits and distribution of source code packages.
Contribute to compliance and OS training.
Contribute to creation of new tools to facilitate automation, discovery of OS in dev environment.
Host and maintain the company’s open source websites.
Engineering Operations
Review requests for the use, modification, and distribution of open source.
Handle compliance inquiries.
Maintain records of compliance for any given open source software component are up to date.
Review end-user documentation to ensure that appropriate copyright, attribution, and license
notices are given to consumers.
Perform audits all software included in a product, which involves the following tasks:
Run a source code scanning tool over the software base and analyze results.
Address all flagged licensing conflicts flagged by the scanning tool.
Oversee the closure of all issues identified by scanning tools.
Create a final audit report and ensure that all identified issues have been closed.
Legal
Provide guidance on licensing.
Contribute to and approve training.
Review and approve list of obligations to fulfill.
Review and approve open source notices.
Engineering & Product Teams
Follow compliance policies and processes.
Integrate compliance practices in dev process.
Conduct design, architecture, and code reviews.
Prepare software packages for distribution.
IT & Supply Chain
Mandate third party software providers to disclose open source in licensed or purchased
software components.
Assist w/ingress of third party software (commercial and open source software).
Support and maintenance for tools infrastructure used by the compliance program.
Create and/or acquire new tools based on OSPO requests.
Documentation & Localization
Include open source license information and notices in the product documentation.
Translate basic information in target languages about open source information related to
the product or software stack.
Corporate Development
Request open source compliance be completed before a merger or acquisition.
Request open source compliance be completed when receiving source code from
outsourced development centers or third-party software vendors.
Human Resources
Build, retain, and attract talent

CONTINUAL COMPLIANCE PROCESSCONTINUAL COMPLIANCE PROCESS
@lcalcote
the "74%" of an OSPO's role
Request approval
before using.
Initial and on-going
scans of existing
code bases.

CONTINUAL COMPLIANCE PROCESSCONTINUAL COMPLIANCE PROCESS
@lcalcoteTwo points of ingest
the "74%" of an OSPO's role
Request approval
before using.
Initial and on-going
scans of existing
code bases.

TOP 3 WAYSTOP 3 WAYS
SUCCESS ISSUCCESS IS
MEASUREDMEASURED
@lcalcoteMeasuring and monitoring success.

OSPO DASHBOARDOSPO DASHBOARD
@lcalcoteFor your code and third-party code
Security
Identified security vulnerabilities
Static vulnerability analysis
Compliance
Flagged license compliance
Status of scans
Contribution
Missing contribution guides
Unsigned CLAs
Outstanding contribution requests
Community
Events
Repo stats: stars, PRs, commits, issues
CHECKLISTCHECKLIST

ESTABLISHING AN OSPOESTABLISHING AN OSPO
@lcalcoteHire a believer; a champion
Open source pragmatists are everywhere,
but your innovative, forward-thinking,
ambitious open source advocate is an
extremely valuable rarity.
Hire them to run your open source
programs if you want to make a difference.

ESTABLISHING AN OSPOESTABLISHING AN OSPO
@lcalcoteHire a believer; a champion
Open source pragmatists are everywhere,
but your innovative, forward-thinking,
ambitious open source advocate is an
extremely valuable rarity.
Hire them to run your open source
programs if you want to make a difference.
Open source programs tend to start
informally as a working group or a few key
open source developers and then evolve
into formal programs over time...
...typically within a company’s software
engineering or development department
(about 41% of programs).

TOPTOP
CHALLENGESCHALLENGES
@lcalcoteOpen Source Programs Survey
1. Strategy planning
2. Defining policies
3. Executive support

CHALLENGE #3CHALLENGE #3
@lcalcoteOpen source software is more than free software
Most tech company executives are far-removed from open source communities.
Most don't understand many of the motivations for participants, nor do they
understand the nuanced differences in licensing models, various types of
productization and business models, or how proprietary and open source software
can be used in conjunction to create a better product line.

KEEP THE FAITHKEEP THE FAITH
@lcalcote
The benefits of an open source program
are widely known, with 70% of those
without a program believing it would have
a positive impact in their company, despite
any barriers to creating it.

RESOURCESRESOURCES
Supporting Groups:
TODO Group
The Linux Foundation
@lcalcotemany thanks to these open stewards
OSPO Case Studies:
Autodesk
Capital One
Comcast
Dropbox
Facebook
Google
Microsoft
Oath
RedHat
Salesforce

LEE CALCOTELEE CALCOTE
THANK YOU.THANK YOU.
QUESTIONS?QUESTIONS?
clouds, containers, functions,
applications and their management
linkedin.com/in/leecalcote
@lcalcote
gingergeek.com
calcotestudios.com/talks
github.com/leecalcote
lee@calcotestudios.com