In partnership with
How can teams take advantage of open source projects while protecting their companies from potential vulnerabilities?
In this series, we explored how users and maintainers can work to ensure the safety and efficiency of open source software. From assessing the risks of specific projects to questioning who’s responsible for testing for security flaws, here are the highlights:
Episode 01: Using Open Source safely and effectively
How are other engineering orgs engaging with open source? In this panel, a group of engineering leaders came together to share their experiences with open source and discuss different steps they’ve taken to shield their companies from potential problems down the line.
Featuring Maria Ntalla (Engineering Manager at Shopify), Joe Sepi (Open Tech Program Director at IBM), Jigyasa Grover (Machine Learning Engineer at Google), Chetan Conikee (Founder & CTO, ShiftLeft), and Shallon Brown (Owner & Founder at StackMaster), the panel discussed:
- The potential risks of open source within your org
- How to assess the legitimacy of open source projects before integration
- How to develop collaborative processes for knowledge sharing between teams on security risks
- How to build a cohesive company approach to using open source as it evolves
Gone are the days when tech companies would see the words ‘open source’ and run. But how did we get here and what are maintainers doing to ensure open source software is safe and effective for those who use it?
In this article, Emma Burstow pulls the curtain on how maintainers operate – from handling test coverage and merging processes to improving communication and using bots – and shares why kindness and friendliness are at the core of her approach.
Episode 03: Who is responsible for open source security?
When companies include open source software in their commercial products, who should be held responsible for testing, documenting, and fixing security vulnerabilities: the organization or the project maintainers?
Here Chetan Conikee tackles this complex question using Log4Shell as a case study. He explains why creating documentation should be a shared responsibility but testing for flaws should fall to the user company, and argues that ultimately, users need to work on building a culture of accountability.
Open sourcing your company’s software is a great way to showcase your technology, attract new talent, and give back to the community. But getting started in a traditional, nervous enterprise can be easier said than done.
Here Raimon Ràfols shares how he successfully launched an open source initiative in his company, AXA, from persuading senior stakeholders and launching the program to raising awareness of the project and supporting development teams through the process.
A final takeaway
The safety of an open source project depends on its maintainers, users, and contributors. That might be nerve-wracking for engineering orgs, but it’s precisely this collective effort that makes open source so valuable. Engineering teams can do their part to keep OSS safe and effective by educating themselves on the risks, learning how maintainers work behind the scenes, and testing for flaws whenever they can.