Berlin

November 4 & 5, 2024

New York

September 4 & 5, 2024

Four things you need to know from ‘Using open source safely and effectively’

A snapshot of the series
April 04, 2022

You have 1 article left to read this month before you need to register a free LeadDev.com account.

How can teams take advantage of open source projects while protecting their companies from potential vulnerabilities?

In this series, we explored how users and maintainers can work to ensure the safety and efficiency of open source software. From assessing the risks of specific projects to questioning who’s responsible for testing for security flaws, here are the highlights:

Shift left

Episode 01: Using Open Source safely and effectively

How are other engineering orgs engaging with open source? In this panel, a group of engineering leaders came together to share their experiences with open source and discuss different steps they’ve taken to shield their companies from potential problems down the line.

Featuring Maria Ntalla (Engineering Manager at Shopify), Joe Sepi (Open Tech Program Director at IBM), Jigyasa Grover (Machine Learning Engineer at Google), Chetan Conikee (Founder & CTO, ShiftLeft), and Shallon Brown (Owner & Founder at StackMaster), the panel discussed:

  • The potential risks of open source within your org
  • How to assess the legitimacy of open source projects before integration
  • How to develop collaborative processes for knowledge sharing between teams on security risks
  • How to build a cohesive company approach to using open source as it evolves

Episode 02: How open source maintainers ensure projects are safe, friendly, and thriving

Gone are the days when tech companies would see the words ‘open source’ and run. But how did we get here and what are maintainers doing to ensure open source software is safe and effective for those who use it?

In this article, Emma Burstow pulls the curtain on how maintainers operate – from handling test coverage and merging processes to improving communication and using bots – and shares why kindness and friendliness are at the core of her approach.

Episode 03: Who is responsible for open source security?

When companies include open source software in their commercial products, who should be held responsible for testing, documenting, and fixing security vulnerabilities: the organization or the project maintainers?

Here Chetan Conikee tackles this complex question using Log4Shell as a case study. He explains why creating documentation should be a shared responsibility but testing for flaws should fall to the user company, and argues that ultimately, users need to work on building a culture of accountability.

Episode 04: A guide to open source for the traditional enterprise

Open sourcing your company’s software is a great way to showcase your technology, attract new talent, and give back to the community. But getting started in a traditional, nervous enterprise can be easier said than done.

Here Raimon Ràfols shares how he successfully launched an open source initiative in his company, AXA, from persuading senior stakeholders and launching the program to raising awareness of the project and supporting development teams through the process.

A final takeaway

The safety of an open source project depends on its maintainers, users, and contributors. That might be nerve-wracking for engineering orgs, but it’s precisely this collective effort that makes open source so valuable. Engineering teams can do their part to keep OSS safe and effective by educating themselves on the risks, learning how maintainers work behind the scenes, and testing for flaws whenever they can.

Shift left