Securing the Software Supply Chain: The Role of Open Source Program Offices



Photo by Ricardo Resende on Unsplash

In today's interconnected world, open source software has transformed the software development landscape. With individuals and organizations from across the globe collaborating on projects, there’s a need to ensure the security and quality levels of the software being consumed. That’s where the Open Source Program Office (OSPO) comes into play. Intel's Jessica Marz, in a lightning talk at the recent Open Source Summit North America*, explores the vital role of OSPOs in securing the software supply chain and how they address the challenges associated with open source software.

The Complexity of the Open Source Software Supply Chain 

The open source software supply chain is unique. With its distributed nature, decentralized collaboration, and anonymity of contributors, assessing the risk and understanding the security and quality levels of the software can be complex for organizations. However, there’s a solution – enter the Open Source Program Office (OSPO). 

The Role of Open Source Program Offices 

An OSPO serves as a centralized unit within an organization, responsible for managing policies related to the consumption and production of open source software. The four main tasks of an OSPO include policy development, facilitating upstream contributions, advocating for open source software usage, and managing legal risk. 

Policy Development 

Policy development is the core responsibility of an OSPO. By establishing rules around software usage and setting requirements for open source projects, the OSPO can ensure security considerations are embedded in policies. For example, the OSPO can define criteria for good dependencies or open source project security scores. TKYou can place requirements and policies around perhaps what sort of open SF score project has, or what a good dependency is. The OSPO can establish policies regarding the production of the open source software, making sure what the company develops meets those standards.  

Vulnerability Management 

An OSPO's vulnerability management function involves keeping track of software usage and performing risk assessments on the identified projects. By identifying key projects within the organization, the OSPO can prioritize securing them through tracking Common Vulnerabilities and Exposures (CVEs) and establishing upgrade schedules. 


Education and Communication 

OSPOs often act as education providers, spreading knowledge about licenses. With security-related matters, OSPOs can educate the organization on secure coding practices, dependency management, and choosing reliable dependencies. Most OSPOS already have very robust networks in the engineering, legal and security communities inside their organizations. By leveraging those internal existing networks, OSPOs can disseminate this information effectively. 

Collaboration with the Community and Industry 

Working with the open source community is integral to an OSPO's function. By contributing to key open source projects, monitoring CVEs, and facilitating the resolution of vulnerabilities, OSPOs actively contribute to the security of popular projects. OSPOs should play a role in facilitating getting CVEs fixed -- not just reaching out to maintainers and saying, “Hey, please hurry up!” which happened with Log4j. OSPOs should be actually providing resources whether that's coding, expertise or dollar rewards as incentives for fixing CVEs in a timely fashion. 

Additionally, collaborations with industry working groups foster cooperative efforts to address security concerns holistically. 

Open Source Program Offices play a critical role in securing the software supply chain in an era of decentralized collaboration and open source software adoption. By managing policies, facilitating contributions, conducting vulnerability management, educating stakeholders, and promoting cooperative efforts, OSPOs contribute to the overall security and quality of open source software. In a world where security is paramount, OSPOs serve as a lighthouse ensuring that organizations navigate the open source software supply chain with confidence.  

“Security is too big and too important for us to be working in a siloed fashion. We need to work together so that the whole is greater than the sum of its parts,” Marz concludes.  
Catch the whole lightning talk on YouTube

About the presenter

Jessica Marz, Director of Open Source Program Office, is an expert at explaining legal concepts to software developers and software development concepts to lawyers. She’s responsible for defining and managing Intel’s open source approval policies and practices. Outside the office, she’s an avid arts-and-crafter known for her creative reuse of materials.