fut1226bu vmware and open source: compliance, or distribution · vmware and open source:...

FUT1226BU

#VMworld #FUT1226BU

VMware and Open Source: Compliance, Quality, and Viability

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 2



bution

Meng Chow, Norman Scroggins

Open Source Program Office, Office of the CTO

FUT1226BU

#VMworld #FUT1226BU

VMware and Open Source: Compliance, Quality, and Viability



bution

Agenda

1Introduction

• Industry Trend

• Business Case: Balance CAPEX and OPEX

2Open Source at VMware

• Proactive approach

• Viability framework

3Manage Open Source Usage: Tools

• License compliance

• Security compliance

4Summary

• Open Source and Production

#FUT1226BU CONFIDENTIAL 4



bution

5

Source: Black Duck Software, 2016 Future of Open Source Survey

199810%

open source

200520%

open source

2010

50% open source

TODAY

Up to 90% open source

Open Source: the Foundation of Modern Applications

#FUT1226BU CONFIDENTIAL



bution

• Potentially reduces license costs

• Production considerations

– License compliance

– Security mitigation

– Release cadence

• Software version for next release

• Integrate security fixes, updates into development

• Regular sync with upstream code

• Clear documentation


Business Case: Balance CAPEX and OPEX



bution

• Freedom to access tools of technology

• No one holds exclusive rights

• Shared development by community of users


Learn and Understand



bution

8

– Eleanor Roosevelt

“With freedom comes responsibility.”

• Freedom to access tools of technology

• Product innovation

• Accelerate product TTM

• Responsibility / Strategic plan

• Support and maintenance

• Risks mitigation

#FUT1226BU CONFIDENTIAL



bution

Open Source Support Quality


Active, Vibrant Open Source projects

• Ongoing community review

• Accelerate defects discovery

• Find and fix issues before you know them



bution

10

Solve problem at right scale?Project actively maintained?

Extend existing component?Support implications?

License terms?Sub components license?

Open vulnerabilities?Unfixed issues?

New OSS versions?Security updates?

Participate & contribute?Build goodwill?

Open Source Viability



bution


Open Source

Compliance

CTO Office

Product Security

IT

Tools Engineering & Services

Technical Education

Product Teams

Legal

Open Source Compliance via Cross Functional Effort



bution

Agenda

1Introduction

• Industry Trend

• Business Case: Balance CAPEX and OPEX

2Open Source at VMware

• Proactive approach

• Viability framework

3Manage Open Source Usage: Tools

• License compliance

• Security compliance

4Summary

• Open Source and Production


Norman Scroggins



bution

Software Supply Chains and Planes?




bution


VMware Manages Its Open Source Software with Automation



bution

Automate License Rules




bution

Integrate with Build, CI and Issue Tracking Tools




bution


First-Build

Enhanced automated BOMs with your

experts!

Persist modifications

Advantages of Inventory Automation



bution


Security + Viability = Quality Software

Mitigating Risk in Our Open Source Supply Chain



bution

Educate Developers on OSS Processes and Tools




bution


Early and accurate inventory

Map security vulnerabilities

Track license and quality risks per release

Educate developers

• Continuously monitor security threats

• Leverage public remediation DBs

• Evaluate risk level & attack zones w/ CVSS

• License, license version• Track all security issues• Track project viability

• Automate creation of OSS inventory

• Automate sw compliance via sw “rules engine”

• Integrate w/ build & issue tracking tools

• Periodic on-site/remote courses

• Incentivize with corporate course credit

• Office hours

VMware’s Tooling Strategy



bution

Open Source Best Practices

• Infrastructure and tooling

– Automation: foster OSS management independence

– Metrics: data-driven decisions, behavioral accountability

– Education: continuous learning

• Compliance and Continuous Improvement

– Open Source Program Office: focal point

– Clear guidance, make compliance straightforward

– Drives consistency

21#FUT1226BU CONFIDENTIAL



bution

Summary: Open Source and Production

• Open source value

– Innovation, competitive edge

– Accelerate product TTM

• Production considerations

– Risks mitigation (tooling strategy, best practices)

– Support and maintenance

• Well-supported open source software

– Can lower TCO

– Can improve business agility

22#FUT1226BU CONFIDENTIAL



bution



bution

fut1226bu vmware and open source: compliance, or distribution · vmware and open source:...

Documents