Leveraging open source in the dev process to maximize security,

compliance & quality

December 7th, FinJS London

Maurizio PillituDevops Director, Symphony Software

Foundation@maoo maoo@symphony.foundation

What is Symphony

• Stewardship of Symphony open core• Hosts Symphony community projects• Fosters an open ecosystem

• Delivers Symphony as commercial SaaS

• Supports Symphony open core • Main contributor to the Symphony

Software Foundation (for now!)

Foundation & Corporation

https://www.blackducksoftware.com/2016-future-of-open-source

65%

Consumption

+5% from 2015

65%

Contribution

+2% from 2015

33%

Commitment

50%

Compliance

2016 - Future of is Open Source

Download, run, test, deploy

code publicly available (to

production?)

Open issues, send patches,

join mailing-list discussions

Commit dedicated

resources to Open

Source development

Define formal policies for

selecting and approving

Open Source code

Consumption Contribution

Your journey to Open Source

“Deliver enterprise-ready software that adheres to

quality, security and legal standards imposed by

highly-regulated industry”

“Navigate through the OSS software offerings; assess, test, run, then choose”

Decomposing Compliance

Metrics and KPIs

Metrics are defined across 3

macro areas; KPIs define

the way metrics are

measured

Measurement and automation

Measurements are

(preferably automated)

processes that return KPI

values for each metric

Legal IP cleanliness,

outbound license

consistency, ...

SecurityCVE free, OWASP guidelines, ...

QualityProject liveliness,

documentation, test

coverage, ...

Metrics examples

https://symphonyoss.atlassian.net/wiki

Metric trends for the past and roadmap for the future

Stats DocsWhich metrics are checked and what’s the current score

Badges

Project green lights

Publish clear instructions to simplify consumption

Incubating Active Archived

Project Lifecycle

Code

an

alysis

static

runtime

platform-specific

execution

Third-partiesLicense compatibility

Out of date versionsCVE alerts

File Classification

Documentation

Source code

staging

production

development

cove

rage

Measurements...Binaries

Testing

run

Build

Cloudbees

myget

Travis CI

Bithound

ALM Atlassian Cloud

GitlabCloudbees

Source Repository

Gitlab

Github

Sonarqube

Nodesecurity

Versioneye

… and automationBitbucket

Scanning

Code

clim

ate

Advanced challenges• Limits on hosted projects and/or collaborators

• API rate limits

• Custom metrics and measurements• Hosted and SaaS hybrid build systems

• Secrets management

• Multi-platform and multi-ecosystem

Filling the gap between

Compliance and Consumption

Consumers● Badges, stats and docs● High quality, secure, compliant software● Access to the community

Contributors● Best of breed Infrastructure● Metrics, KPIs and automation● Exposure through the community

Questions?

Maurizio PillituDevops Director, Symphony Software

Foundation@maoo maoo@symphony.foundation

● https://blog.symphony.foundation● https://symphonyoss.atlassian.net/wiki

symphonyoss on