fut1226bu vmware and open source: compliance, or distribution · vmware and open source:...
TRANSCRIPT
FUT1226BU
#VMworld #FUT1226BU
VMware and Open Source: Compliance, Quality, and Viability
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Meng Chow, Norman Scroggins
Open Source Program Office, Office of the CTO
FUT1226BU
#VMworld #FUT1226BU
VMware and Open Source: Compliance, Quality, and Viability
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1Introduction
• Industry Trend
• Business Case: Balance CAPEX and OPEX
2Open Source at VMware
• Proactive approach
• Viability framework
3Manage Open Source Usage: Tools
• License compliance
• Security compliance
4Summary
• Open Source and Production
#FUT1226BU CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
5
Source: Black Duck Software, 2016 Future of Open Source Survey
199810%
open source
200520%
open source
2010
50% open source
TODAY
Up to 90% open source
Open Source: the Foundation of Modern Applications
#FUT1226BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
• Potentially reduces license costs
• Production considerations
– License compliance
– Security mitigation
– Release cadence
• Software version for next release
• Integrate security fixes, updates into development
• Regular sync with upstream code
• Clear documentation
#FUT1226BU CONFIDENTIAL 6
Business Case: Balance CAPEX and OPEX
VMworld 2017 Content: Not fo
r publication or distri
bution
• Freedom to access tools of technology
• No one holds exclusive rights
• Shared development by community of users
#FUT1226BU CONFIDENTIAL 7
Learn and Understand
VMworld 2017 Content: Not fo
r publication or distri
bution
8
– Eleanor Roosevelt
“With freedom comes responsibility.”
• Freedom to access tools of technology
• Product innovation
• Accelerate product TTM
• Responsibility / Strategic plan
• Support and maintenance
• Risks mitigation
#FUT1226BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Open Source Support Quality
#FUT1226BU CONFIDENTIAL 9
Active, Vibrant Open Source projects
• Ongoing community review
• Accelerate defects discovery
• Find and fix issues before you know them
VMworld 2017 Content: Not fo
r publication or distri
bution
10
Solve problem at right scale?Project actively maintained?
Extend existing component?Support implications?
License terms?Sub components license?
Open vulnerabilities?Unfixed issues?
New OSS versions?Security updates?
Participate & contribute?Build goodwill?
Open Source Viability
VMworld 2017 Content: Not fo
r publication or distri
bution
#FUT1226BU CONFIDENTIAL 11
Open Source
Compliance
CTO Office
Product Security
IT
Tools Engineering & Services
Technical Education
Product Teams
Legal
Open Source Compliance via Cross Functional Effort
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1Introduction
• Industry Trend
• Business Case: Balance CAPEX and OPEX
2Open Source at VMware
• Proactive approach
• Viability framework
3Manage Open Source Usage: Tools
• License compliance
• Security compliance
4Summary
• Open Source and Production
#FUT1226BU CONFIDENTIAL 12
Norman Scroggins
VMworld 2017 Content: Not fo
r publication or distri
bution
Software Supply Chains and Planes?
#FUT1226BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
#FUT1226BU CONFIDENTIAL 14
VMware Manages Its Open Source Software with Automation
VMworld 2017 Content: Not fo
r publication or distri
bution
Automate License Rules
#FUT1226BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrate with Build, CI and Issue Tracking Tools
#FUT1226BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
#FUT1226BU CONFIDENTIAL 17
First-Build
Enhanced automated BOMs with your
experts!
Persist modifications
Advantages of Inventory Automation
VMworld 2017 Content: Not fo
r publication or distri
bution
#FUT1226BU CONFIDENTIAL 18
Security + Viability = Quality Software
Mitigating Risk in Our Open Source Supply Chain
VMworld 2017 Content: Not fo
r publication or distri
bution
Educate Developers on OSS Processes and Tools
#FUT1226BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
#FUT1226BU CONFIDENTIAL 20
Early and accurate inventory
Map security vulnerabilities
Track license and quality risks per release
Educate developers
• Continuously monitor security threats
• Leverage public remediation DBs
• Evaluate risk level & attack zones w/ CVSS
• License, license version• Track all security issues• Track project viability
• Automate creation of OSS inventory
• Automate sw compliance via sw “rules engine”
• Integrate w/ build & issue tracking tools
• Periodic on-site/remote courses
• Incentivize with corporate course credit
• Office hours
VMware’s Tooling Strategy
VMworld 2017 Content: Not fo
r publication or distri
bution
Open Source Best Practices
• Infrastructure and tooling
– Automation: foster OSS management independence
– Metrics: data-driven decisions, behavioral accountability
– Education: continuous learning
• Compliance and Continuous Improvement
– Open Source Program Office: focal point
– Clear guidance, make compliance straightforward
– Drives consistency
21#FUT1226BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary: Open Source and Production
• Open source value
– Innovation, competitive edge
– Accelerate product TTM
• Production considerations
– Risks mitigation (tooling strategy, best practices)
– Support and maintenance
• Well-supported open source software
– Can lower TCO
– Can improve business agility
22#FUT1226BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution