What is an OSPO?
In the modern world, tech companies are becoming more reliant on open source software (OSS) when building their solutions. The open source libraries from which developers take OSS components are governed by licences. Complying with the licence is the responsibility of the organisation using the library, and failure to do this can lead to legal repercussions and affect the project’s potential value. Any legal challenge relating to non-compliance can create bad press coverage and all the associated negative consequences. Additionally, using components which are outdated or of unknown origin carries obvious security risks.
This is where an OSPO comes in, helping to maximise the benefits of using OS while minimising the risk, which in turn both protects and educates your employees.
The benefits of an OSPO
An OSPO can either be in-house or outsourced to a 3rd party provider. What the OSPO does is to create a company-wide policy which regulates the use of OS within the organisation. By educating staff about their responsibilities in connection with OS licencing compliance, the OSPO enables them to work more efficiently, thus reducing delivery time. And by aligning the efforts of all the teams involved in building a product, this can only help the organisation to use open source more effectively.
Who can be part of an OSPO?
While the exact requirements of an OSPO depend on the individual organisation, the following people may be involved:
- Principal / Chief – The face of the OSPO.
- Program Manager – Sets the objective for the target solution.
- Legal support – Either external or in-house.
- Developers – The engineering team should be thoroughly trained in OS licencing compliance and must obtain permission from the OSPO before using any OS component.
- Stakeholders – The VP of Engineering, CTO/CIO, or Chief Compliance/Risk Officer all significantly impact OSPO strategies.
- IT Team, including DevOps and Security – IT is key in helping to connect workflows and ensure policies are implemented in a developer-friendly manner
Contributing code
As well as being standard practice, it is also beneficial for developers to contribute to OS projects. Many open source projects require developers to sign a Contributor License Agreement (CLA) which typically assigns ownership of any IP created by the employees to their employer. Using open source components in adherence with their respective licenses ensures your company’s standing within the OS community and also helps elevate your brand’s reputation. Additionally, OSPO can manage the company’s growth in the market by actively engaging in events, webinars and interactive campaigns.
The core functions of an OSPO
- Mitigates intellectual property risks to the organisation
- Educates developers to become better decision-makers
- Monitors the usage of OS software inside and outside the organisation
- Conducts OSS compliance meetings after every software release
- Defines company-wide policies for working with OSS
- Encourages members to contribute to OSS
- Produces SBOM with recommendations to the product team
- Ensures all licencing obligations are fulfilled
Who is using OSPO?
Many of the world’s leading tech companies, such as Microsoft, Google, Netflix, and GitHub, have well-established OSPOs within their organisations. Outside the tech field, world leaders such as Bloomberg, Comcast and Salesforce also embrace OSPO.
Define policies which help manage OSS risk
Having a clearly defined Open Source Software Policy is fundamental to the success of a professionally managed open source software program.
Find out how Traced can you help you with Open Source Software Policy Design.