I was in the grocery store and heard a passing comment from what I assume was a mother to her daughter, the latter of which was walking through the store totally engrossed in her cell phone. Mom says, “Did you know that July 26th is a holiday for putting down your phone and having an actual conversation with those around you?”
I wondered if ‘mom’ made up this random holiday, but sure enough—although its origin is unknown—this off-beat holiday does exist. It’s a bit more specific, however, and it’s called National Talk in an Elevator Day. There are an inordinate number of blogs and articles discussing the meaning of the day with tips as to how to get in the true spirit and make the most out of your vertical journey with fellow riders.
What does this have to do with open source software management? Well, the brief episode got me thinking about the research Flexera released at the beginning of the year. We analyzed over 134 audit projects and determined that only 2% of the open source license compliance and security vulnerabilities discovered were initially disclosed prior to audit start. An average of 367 issues were found per audit project and 16% of those were considered Priority 1 (P1) level issues—high severity issues that require immediate attention and remediation.
What you don’t know can hurt you! We write a lot about using the right scanning tool to seek out and find license compliance issues and security vulnerabilities that could put your company at risk. But, what about those internal discussions that should take place to get engineering, IT, security, legal, and company leaders on the same path regarding open source management?
Open source management is a strategy that needs cultivated within organizations to build more awareness.
In the spirit of this day, break the ice! Let the conversations begin…in an elevator or elsewhere.
Here’s a list of important questions to ask and answer, all centering around the OpenChain pillars of setting policy and requirements, conformance, and educating:
- Do we have clear policies and processes for implementing an open source strategy?
- Is it easy to find third-party license notices for our products?
- Do we have a process and a plan for upgrading and patching products due to open source vulnerabilities?
- Are we continuously educating employees about open source use and compliance?
- Is there material support to the open source projects we are using?
- What scanning tools are in place for open source software management?
- Have we established an Open Source Review Board (OSRB)?
Depending on who you are talking to the questions can go deeper or more high-level. Here’s a start, “Hi. Have you heard how we are using open source software to innovate and create better customer experiences with our products?”
The important step is to start the conversation.