Establish Mechanisms to Monitor Your Governance Program: Open Source Development Tip #10

December 14, 2011 By Terry Bernstein

2 minute read time

We’ve been publishing a series of tips on managing your use of open source maximize benefits and minimize the risks. You can find earlier posts in the series here and a summary of the entire set of tips here. In today’s post, we complete the series with a tip on establishing mechanisms to monitor the effectiveness of your open source governance program.

10. Establish mechanisms to monitor the effectiveness of your open source governance program

Your OSS governance program is in place. You’ve educated everyone on the policy, standardized components, built open source management into your development process and are continuously monitoring production applications. You’re done, right? Almost, but not quite. You’ll want to set up check points to monitor its effectiveness to learn what’s working and what’s not.

A good place to start is by monitoring open source downloads from outside sources. Just because a component was downloaded doesn’t necessarily mean it’s being used in an application, but if you see problematic components coming in, it’s probably worth investigating. If you’re using an enterprise repository manager (and we suggest you do), you’ll want to know if it’s being used or being circumvented.

You may also want to audit your key applications. It would be surprising to find problematic components, especially if the apps were developed after your policy was in place. But, if you did, it would be an indication that something went wrong. Maybe a development group was unaware of the new policy, or perhaps they don’t yet have the tools needed to effectively follow it.

A final place to monitor is code delivered by outside contractors, consultants, or ISVs. You’ll want to be sure that they are following your governance policies and haven’t inadvertently included components with security or license issues.

Now that you know what you want to monitor, the next question is how? That’s why we created Insight. Insight reports all of your organizations open source downloads. You’ll also have tools for analyzing and reporting details of all the components used in your Java projects, whether they were developed internally or delivered by a 3rd party.

You can learn more about Insight here.

 

 

Tags: Sonatype Says, osstop10, AppSec Spotlight

Written by Terry Bernstein

Terry is the former Director of Product Marketing at Sonatype. He is now the Director of Product Management at Verisign.