Thinking about open source governance issues from the perspective of OSPO

News 2023-04-09 12:22:29 views: null

open source some issues

Many of today's most important business breakthroughs, including big data, machine learning, cloud computing, IoT, and streaming analytics, stem from open source software innovations.

By using open source software, businesses can save time, money, and effort by avoiding building everything from scratch, while also gaining more innovation from their investment. But more and more data show that security threats from open source software are becoming more and more serious.

From the perspective of relevant domestic policies, encouraging and regulating the innovation of open source technologies and promoting the sustainable development of open source communities has become the goal of my country's technological development.

The ever-improving national standards and industry standards on software supply chain security and open source technology evaluation all reflect the country's requirements for open source governance. It not only requires enterprises to conduct statistical analysis on internal open source software usage and dependence, but also requires enterprises to respond quickly and provide more effective solutions when they encounter threats from open source.

The reason why the country has to pay close attention to open source governance is that many companies rely too much on open source technology and fail to control it as soon as possible, or it is caused by the lack of understanding of open source culture and awareness of open source. When implementing open source governance, SCA tools, as the key to open source security tools, become a must for governance.

As China pays more and more attention to open source governance, what experience can foreign companies learn from their work on open source governance? This makes people think of the establishment of OSPO (Open Source Project Office) advocated by many large foreign companies.

What is OSPO?

OSPO: Open Source Program Office (Open Source Program Office), the purpose is to help enterprises develop enterprise-level open source strategies in the use, support, participation, development, etc. of open source software, and also to help enterprises understand the advantages and potential threats of open source software, And think about how to balance various factors to meet the company's business goals.

Another key role of OSPO involves auditing license compliance to ensure that organizations meet the various license requirements for open source software. Including: how the enterprise contributes to the open source community, or what content is released back to the community, and evaluates how the open source technology brings value to the enterprise's business.

insert image description here

OSPO is not SCA

From the perspective of open source governance, SCA (Software Component Analysis) tools are technical tools for identifying, managing, and tracking by analyzing specific information or characteristics contained in software. They are open source security tools positioned among the three elements of open source governance.

OSPO is more like a set of solutions covering all aspects of the three elements of open source governance: process system, staffing, and open source security tools.

In enterprises that have established OSPO, OSPO professionals help internal developers understand the best way to establish SBOM, and help establish the SPDX (Software Data Packet Exchange) standard. And OSPO is actively in contact with foundation organizations. For example, in 2021, Google's OSPO and OpenSSF jointly launched a software supply chain integrity framework, "Software Product Supply Chain Level" (SLSA).

SLSA, for ensuring the integrity of middleware throughout the software supply chain. It was inspired by Google's internal BAB, which Google has used for the past 8 years, and is mandatory for all Google's production workloads. The goal of SLSA is to improve the security posture of the industry, especially open source software, against the most pressing threats to its integrity. "

The importance of cooperation between an enterprise's OSPO and OpenSSF has become more prominent after the "nuclear bomb level" vulnerability of Log4j broke out. OpenSSF shouldered the burden of patching Log4j vulnerabilities, helping to find and patch more than 10,000 open source software vulnerabilities (Alpha-Omega project).

Regarding the Alpha-Omega project, it is not just a vulnerability repair project, but takes the Log4j vulnerability as an opportunity to improve the corresponding security technology and response mechanism, and replicate the capabilities to all related companies through the power of the foundation. OSPO will As the "spokesperson" of the enterprise, follow up the implementation of this plan as soon as possible and make a more valuable mechanism for the security of the software supply chain.

Relationship between OSPO and SCA

Compared with OSPO's responsibilities, if domestic enterprises' open source governance work is not promoted by national policies and standards, it is likely that they will only increase the use of SCA tools to ensure the security of their own open source components. But for the entire software supply chain, it is far from enough to rely on tools to maintain.

Perhaps it is different from my country's domestic market environment and driven by national policies. The cooperation between foreign companies or large domestic companies and foundations in the industry to promote corresponding standards or policies is the primary reason why OSPO is more suitable for growing in "foreign soil". factor.

But this is also the case. I believe that in the domestic environment, enterprises will also have organizations with functions similar to OSPO to specialize in open source governance, coordinate various resources within the enterprise, and cooperate across multiple departments. The SCA tool is integrated on the enterprise's internal R&D platform and DevSecOps platform to automatically ensure the security and compliance of the enterprise's use of open source software and closely cooperate with the organization.

If the SCA tool is the "sharp sword" of open source governance, who will hold the sword to guard security, and who will direct the "movement" of open source governance is the next step for enterprises to think about.

related information:

  1. The benefits of open source and OSPO: https://linuxfoundation.org/tools/todo-group-why-open-source-matters-to-your-enterprise/ .

  2. The Evolution of the Open Source Program Office: https://linuxfoundation.org/tools/the-evolution-of-the-open-source-program-office-ospo/ .

  3. New research reveals the evolution of OSPO: https://mp.weixin.qq.com/s/YVJU1qTFusmx1ZW3ovWclg .

  4. From BAB to SLSA——Talking about Google's software supply chain risk governance: https://zhuanlan.zhihu.com/p/382721804 .

  5. What is the Open Source Program Office? https://my.oschina.net/u/4937141/blog/500774 .

Guess you like

Origin blog.csdn.net/GitChat/article/details/124386177
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com