finjs london 2016 - leveraging open source in the dev. process to maximize security, compliance and...
Post on 24-Jan-2017
257 Views
Preview:
TRANSCRIPT
Leveraging open source in the dev process to maximize security,
compliance & quality
December 7th, FinJS London
Maurizio PillituDevops Director, Symphony Software
Foundation@maoo maoo@symphony.foundation
• Stewardship of Symphony open core• Hosts Symphony community projects• Fosters an open ecosystem
• Delivers Symphony as commercial SaaS
• Supports Symphony open core • Main contributor to the Symphony
Software Foundation (for now!)
Foundation & Corporation
https://www.blackducksoftware.com/2016-future-of-open-source
65%
Consumption
+5% from 2015
65%
Contribution
+2% from 2015
33%
Commitment
50%
Compliance
2016 - Future of is Open Source
Download, run, test, deploy
code publicly available (to
production?)
Open issues, send patches,
join mailing-list discussions
Commit dedicated
resources to Open
Source development
Define formal policies for
selecting and approving
Open Source code
Consumption Contribution
Your journey to Open Source
“Deliver enterprise-ready software that adheres to
quality, security and legal standards imposed by
highly-regulated industry”
“Navigate through the OSS software offerings; assess, test, run, then choose”
Decomposing Compliance
Metrics and KPIs
Metrics are defined across 3
macro areas; KPIs define
the way metrics are
measured
Measurement and automation
Measurements are
(preferably automated)
processes that return KPI
values for each metric
Legal IP cleanliness,
outbound license
consistency, ...
SecurityCVE free, OWASP guidelines, ...
QualityProject liveliness,
documentation, test
coverage, ...
Metrics examples
https://symphonyoss.atlassian.net/wiki
Metric trends for the past and roadmap for the future
Stats DocsWhich metrics are checked and what’s the current score
Badges
Project green lights
Publish clear instructions to simplify consumption
Incubating Active Archived
Project Lifecycle
Code
an
alysis
static
runtime
platform-specific
execution
Third-partiesLicense compatibility
Out of date versionsCVE alerts
File Classification
Documentation
Source code
staging
production
development
cove
rage
Measurements...Binaries
Testing
run
Build
Cloudbees
myget
Travis CI
Bithound
ALM Atlassian Cloud
GitlabCloudbees
Source Repository
Gitlab
Github
Sonarqube
Nodesecurity
Versioneye
… and automationBitbucket
Scanning
Code
clim
ate
Advanced challenges• Limits on hosted projects and/or collaborators
• API rate limits
• Custom metrics and measurements• Hosted and SaaS hybrid build systems
• Secrets management
• Multi-platform and multi-ecosystem
Filling the gap between
Compliance and Consumption
Consumers● Badges, stats and docs● High quality, secure, compliant software● Access to the community
Contributors● Best of breed Infrastructure● Metrics, KPIs and automation● Exposure through the community
Questions?
Maurizio PillituDevops Director, Symphony Software
Foundation@maoo maoo@symphony.foundation
● https://blog.symphony.foundation● https://symphonyoss.atlassian.net/wiki
symphonyoss on
top related