Chapter 2: The Value of Open Source Program Offices

• Introduction
• How Could Your OSPO Add Value?
• Applying This to Your Organization
• Examples of the OSPO’s value
• Possible Problems and how to Overcome Them
• Resources and Footnotes

Introduction

Your organization probably already has a relationship with open source, even if it’s not aware of it. Almost all software produced today includes open source components, or is developed or hosted using open source tools. Even organizations that don’t make software usually use software that contains open source components.

For many organizations, it’s worth considering how actively managing their relationship with open source can bring benefits and reduce risks. As mentioned in the previous chapter, this involves understanding the current use of open source and then assessing how this could be managed better to support organizational goals.

This chapter will help you to understand the possible areas where managing open source through an OSPO can bring value to your organization. This will be different for every organization, so knowing your organization’s strategy and goals is important.

The work of an OSPO is to understand where open source can bring value to its organization, and to actively manage or oversee all related activities.

Every organization will have its own reasons for wanting to start an OSPO, some common reasons given in the business value of the OSPO report ¹ are as follows:

• Building standardized processes around open source
• Learning how to approach the open source community
• Embracing the sustainability of open source projects
• Managing compliance
• Expanding access to open knowledge
• Improving development velocity
• Mitigating security risks

How Could Your OSPO Add Value?

If You Make Software

This is a common and relatively comprehensive use case for an OSPO. Other organizations may only need to consider a subset of these issues.

Sometimes, organizational stakeholders assume that their product isn’t using any open source components because their end product isn’t open source. However, when you look at the entire software supply chain you can see that nearly all software contains open source dependencies or artifacts. If the contributors working on those open source projects decided to leave, the project could become obsolete or a target for security vulnerabilities. This affects any software the organization uses or sells, and could directly impact its reputation, performance, or revenue.

An OSPO can help by understanding and actively managing use of open source components in your software.

How the OSPO Helps

• Managing Vulnerabilities: Open source projects can be a source of security vulnerabilities in a product that depends upon them. It can be hard to keep track of how open source projects are being used by your organization and to perform risk assessments on the identified projects. When you identify key projects within the organization, you can prioritize securing them by tracking common vulnerabilities and exposures. Often, the Enterprise Architecture team are the ones tracking the open source components of applications and technologies, and OSPOs are there to give subject matter expertise.

• Understanding Risks in the Supply Chain: The open source landscape is large and decentralized, and it can be hard to identify who the contributors to individual projects are and to perform risk assessments on the identified projects. These factors can make it challenging for organizations to accurately assess risks and to comprehend the security and quality standards of the software, hardware, data, etc.

• Building Healthy Relationships with Key Open Source Projects: Commercial organizations that are using open source are often keen to contribute back to the projects they use. However, the pressure to ship features in their own products means that open source contributions may take a back seat when things get busy. Even when it’s known that contributing features and bugfixes to upstream is less effort in the long term than to maintain a fork of the project, organisations often optimize for short term benefits and don’t spend the extra effort to upstream the changes.

• Supporting and Influencing Key Open Source Projects: Your organization could be in a good position to provide resources to open source projects. That could be through coding, expertise, or money donations as incentives for fixing common vulnerabilities. It could also be productive to collaborate with industry working groups to address security concerns holistically. Making a plan that aligns with your organizational strategy and provides value to the open source projects is a good way to be a helpful community member.

• Bridging the Gap Between Regulated Processes and Open Source Processes: Open source is a dynamic ecosystem whose contributions should occur as smoothly and naturally as possible. The long procurement processes faced in highly regulated environments, such as finance companies and governments, create a barrier to open source contribution and engagement.

• Improving Open Source Literacy to Ensure a High-Benefit, Low-Risk Approach: The concept of open source may not be taken seriously in other areas of the organization involved in decision-making processes, management, or policy making. This will require constant education and demonstration of the risks and value of open source in the organization.

To get the most benefit from open source, and to reduce the risks, organizations must invest in properly managing open source operations on both cultural and practical levels. This is often accomplished through the OSPO, as it fosters committed, cross-functional collaboration within the organization to address open source issues encountered by various teams or departments. The OSPO operates as a center of excellence.

If You Deliver Public Services

How the OSPO Helps

We see that more public sector organizations are realising the value of an Open Source Program Office to achieve their digital policy goals to better serve their citizens, and to transform their organizations toward achieving these goals.

Public sector organizations face unique challenges when it comes to managing their open source operations, including the need to comply with strict laws and regulations, and the requirement to provide transparent and accountable operations. An OSPO can help governments and public sector organizations to overcome these challenges.

• Improving Compliance: An OSPO helps to ensure that their open source operations are compliant with relevant laws and regulations, including data privacy laws, procurement regulations, and transparency requirements. This helps organizations to avoid costly legal and regulatory challenges and to maintain their reputation as responsible public sector organizations.

• Increasing Collaboration: An OSPO helps to foster collaboration between different departments and with external stakeholders, including other public sector organizations, open source communities, and civil society organizations. This increased collaboration helps organizations to access a wider pool of talent and resources, and to develop better open source solutions.

• Improving Resource Allocation: An OSPO helps to allocate resources more effectively, ensuring that open source operations are well-supported and that key initiatives are given the resources they need to succeed. This helps organizations to maximize the benefits of open source technology and drive innovation and growth.

• Improving Service Delivery: An OSPO helps to improve the delivery of public services, by enabling them to adopt innovative and cost-effective technologies, and to collaborate with external stakeholders to develop better solutions. This helps organizations to provide better services to citizens and to meet the changing needs of their communities.

The European Commission’s Open Source Program Office (OSPO) has launched a new portal that serves as a wiki or knowledge archive, providing up-to-date information on advancements in OSPO-related topics for public administrators. This portal offers a variety of resources, including useful studies, presentations, use cases, guides, and more, to readers interested in learning more about OSPO-related topics. See the Resources section at the end of the chapter for a URL.

As a Cultural Influence

In a world governed by software, Open Source Program Offices (OSPOs) serve as powerful cultural catalysts within organizations. Beyond simply managing technical integration of open source solutions, OSPOs fundamentally transform organizational culture by fostering open collaboration, transparency, and innovation.

As organizations increasingly rely on open source for mission-critical problems — whether social, economic, or technological — the OSPO’s cultural influence becomes essential in reshaping mindsets and workflows. This cultural shift enables organizations to move beyond viewing open source as merely a resource to extract value from, toward becoming active, contributing members of the broader open source ecosystem. By embedding open source values and practices throughout an organization, OSPOs cultivate internal champions, establish collaborative norms, and nurture a culture where knowledge sharing thrives.

This cultural transformation not only supports risk management and innovation but ensures the sustainability of the open source communities they depend on. Without an OSPO’s ongoing cultural influence, organizations risk losing open source expertise, increasing security and legal vulnerabilities, reducing community engagement, and damaging their reputation.

Open Source is a silent critical need, and an OSPO’s cultural impact is vital to evolve organizational culture and knowledge, helping to build more secure and sustainable OSS.

How the OSPO Helps

• Acts as a Counselor: Sometimes a strategic approach just means stepping back and taking the time to think through some of the hard questions about what type of engagement model is right for any particular project or how involved the organization should be in each project. There is also the question of when it makes sense to contribute to an existing project versus creating a new project. An OSPO that is having these strategy-level conversations will be able to provide guidelines to workers at the different teams so that workers don’t have to consider the business implications of different open source engagement models every time they try to solve a problem.

• Acts as a Facilitator: The OSPO also plays a sort of translation role between the organization’s teams and decision makers’ interests regarding open source and the needs from the open source community. They also help organizations navigate the cultural, process, and tool changes required to engage with the open source community effectively and in a healthy way.

• Acts as an Advocate: OSPOs can promote the use of open source and its best practices across different organizational units. This can help organizations realize the benefits of open source as well as engage people to contribute to open source projects or start new ones.

• Acts as an Environmentalist: OSPOs can help organizations support and sustain open source projects in the long term by addressing issues such as security, maintenance, and project health. This can help ensure that open source projects remain healthy in the long term and continue to benefit the wider community.

• Acts as a Gatekeeper: OSPOs can help enforce open source policies and strengthen open source governance. This can help organizations to ensure compliance and mitigate open source security risks.

As an Intermediate Step to a Decentralized Open Source Management Model

OSPOs help manage open source as an ongoing activity and work to integrate it well into all an organization’s units. Some organizations are going a step further to take ownership of the full management of open source within their regular structures and functions. There is an open question related to whether the OSPO would become an intermediate step to achieve this.

The answer depends on how you view the OSPO. Beyond the multiple different structures an OSPO can have, it’s fundamentally about its people. An OSPO is a group of open source subject matter experts providing support, knowledge, and management related to all open source activities. These people must be not only retained but also reinforced and effectively financed for the future, as more open source integration is inevitable.

In an ideal scenario, open source knowledge, technical expertise, and culture should be integrated as any other employee skill. However, the reality is that this is a long way from happening. Currently, it’s challenging to find open source experts who can effectively bridge the gap between open source communities and specific work units (for example: security, legal and business), let alone enough people to place in every part of the business.

However, what might change in the coming years is the centralized view of the OSPO. This traditional perception may diminish, leading to more decentralized structures across teams and business units.

[Source: OSPOs, key lever for open source sustainability]1

Applying This to Your Organization

Assess the Value of Open Source Use

Organizations may underestimate how much they already depend on the usage of open source. Several studies analyze the usage of OSS in the industry. For example, the Synopsys Open Source Security and Risk Analysis Report 2024 ² finds that the average software project consists of 77% OSS. Additionally, a Harvard Business School study ³ estimates that the supply-side value of widely-used OSS is $4.15 billion, while the demand-side value is much larger at $8.8 trillion. Moreover, a study by OpenForum Europe ⁴ estimates that OSS contributes between €65 to €95 billion to the European Union’s GDP and promises significant growth opportunities for the region’s digital economy.

Assess this value for your own organization by taking steps such as:

• Collecting information about what OSS is used by your development and operations teams.
• Getting a clear view of what open source components are in the commercial software you buy or services you use. Ask vendors for what OSS they use, for example by requesting Software Bill of Materials (SBOMs).
• Assessing the cost savings of current open source use by evaluating what it would cost if you had to replace it with commercial alternatives.
• Evaluating how using existing open source components can increase the speed of innovation or engineering agility.

Consider what Value Your OSPO Might Bring in the Future

The value of an OSPO to your organization may increase over time as strategy and goals of your organization change. Your OSPO should regularly review its value to the organization, and plan to increase its maturity level if needed. More information about OSPO maturity is available in Chapter 3 where the topic of Maturity Models is introduced.

Communicate With Stakeholders

When communicating the value of your OSPO to your organization, the best route forward is to present the top 2-3 areas of value that are most clearly aligned to organizational strategy. There may be many other areas where the OSPO adds value but research shows that a long list of benefits can weaken the business case rather than strengthen it (you can search for the “Weak Argument Effect” online for more information). Work on a clear, compelling short value proposition that will cut through, and use it as an anchor for presenting the OSPO in all situations.

Don’t rely on general “good practice” arguments. Though these may be based in truth, they’re not usually very compelling and don’t help to build strong buy-in across the organization.

Don’t rely on the value of your OSPO meeting speculative future needs. It’s great to be prepared, but unless there is a clear initiative that’s about to start which your OPSO can help with, it’s better to focus on the value you can deliver here and now.

Examples of the OSPO’s value

To illustrate how your OSPO may deliver value to your organization, some example stories can be a great way to build buy-in. Here are two examples where an OSPO could be vitally important:

Managing a Vulnerability in the Software Supply Chain

For example: a social engineering attack targeted the xz/liblzma ⁵, an essential open source library. The attack was meticulously planned, gaining trust within the community before executing a malicious attack. This incident was discovered inadvertently by an unrelated project, underscoring the sophistication and stealthiness of such vulnerabilities. The challenge for OSPOs lies in identifying and mitigating these vulnerabilities, which are not always apparent until after they occur. Despite existing procedures and policies, OSPOs recognize the need for mechanisms to proactively measure and respond to such threats.

How the OSPO Helps

1. SBOMs Compliance Ready: Ensure that all software components are documented through automatically generated Software Bill of Materials (SBOMs). This documentation helps quickly to identify potentially compromised components once a vulnerability is disclosed.

2. Automated Security Checks: Implement automated security checks, such as the OpenSSF Scorecard ⁶, to continuously evaluate the security posture of projects. This proactive measure can highlight vulnerabilities or anomalies that merit further investigation.

3. Having a Computer Emergency Response Team (CERT) within the organization and having the OSPO collaborate closely with them. This specialized team should be equipped with the tools and authority to respond swiftly to security incidents. Pre-existing relationships within the team facilitate rapid internal communication about the severity of incidents.

4. Scorecard Management: Keep security and vulnerability scorecards up to date. These scorecards should reflect the latest security checks and assessments, helping in quick decision-making during a crisis.

5. Automated Feedback Loops: Develop well-automated feedback loops for bug reporting and fixing. Knowing who is responsible for addressing a particular bug and ensuring that this process is as automated as possible can significantly reduce response times.

Managing a Licence Change in the Software Supply Chain

OSPOs face the challenge of navigating license changes and assessing software trustworthiness. When projects like Redis change their terms ⁷ it can have significant implications for use, distribution, and contribution. OSPOs need to communicate these changes clearly and understand the roles and responsibilities dictated by new license terms. Furthermore, OSPOs are tasked with evaluating the trustworthiness of software, which can vary based on whether a project is maintained by a single vendor or hosted under a foundation. For instance, The AlmaLinux OS Foundation ⁸ presents a case where donating a project to a foundation mitigated risks associated with single-vendor governance, thereby enhancing trust in the project.

How the OSPO Helps

1. Educational Initiatives on License Implications: Develop educational materials and sessions for developers and users within the organization to understand the nuances of different licenses. This understanding will help them make informed decisions when using or contributing to open source projects.
2. Explicit License Terms: Work with legal teams to ensure that license terms are as explicit and unambiguous as possible. Clear terms help in avoiding misunderstandings and potential legal conflicts.
3. Software Trust Rating System: Implement a system to evaluate and rate the trustworthiness of software, considering factors like governance structure, maintenance practices, and community engagement. Projects hosted under reputable foundations could be rated higher for trustworthiness due to the oversight and governance provided.
4. Encourage Foundation Hosted Projects: Advocate for donating projects to foundations to mitigate risks associated with single-vendor control. Highlight successful cases like AlmaLinux to illustrate the benefits of this approach, such as increased trust and community support.
5. Stakeholder Engagement in License Decisions: Engage a broad range of stakeholders, including developers, legal advisors, and end users, in discussions about license changes or the adoption of new projects. Their insights can help in making balanced decisions that align with the organization’s values and risk tolerance

Possible Problems and How to Overcome Them

In this section, you will find a series of real-world scenarios that are encountered in open source management across organizations. For each scenario, you can find recommendations from real-world experiences from open source professionals.

Problem

There is a lack of understanding about open source practices across the organization.

Recommendation

It can be hard to demonstrate the value of the OSPO if there is a poor understanding of open source in the organization. Focusing on speaking about your key areas of value and using the power of stories will help you to build understanding quickly in the organization. Sharing real-world stories about how your organization is using open source, and sharing cautionary tales about times an OSPO saved an organization from a risk can help to educate people through easily repeated narratives.

As time goes by, you can start to promote better organizational-wide understanding of open source practices by offering educational workshops, creating accessible resources, and establishing open source champions in different departments to foster a culture of open source literacy.

Problem

The OSPO’s value is seen as a sales profit or marketing tool.

Recommendation

Because the OSPO has a role in supporting relationships with open source communities and partners, it can be natural for sales and marketing to see some value to them in this engagement.

As an OSPO you can only fulfill your responsibilities by building trust with third parties over time. Set boundaries with sales and marketing and say “no” to things that might reduce your reputation in the ecosystem. Work on building internal understanding of the OSPO as an integral part of the organization’s digital, software, or IT strategy, and highlight work that fosters open source best practices, contributes to technological innovation, and supports the overall organization’s goals.

Problem

The OSPO’s value is seen as secondary or discretionary, and not as critical for the organization’s core functions.

Recommendation

The cause of this problem is either that the OSPO isn’t aligned with the organization’s needs, or that the OSPO isn’t communicating its value well. Review the OSPO’s value, and plan your communications to highlight how the OSPO enhances key business processes, drives innovation, and directly supports strategic objectives, thereby integrating it as an essential component of the organization’s operational framework.

Problem

The OSPO struggles with gaining executive support and buy-in.

Recommendation

Executives require a particular type of communication. They need to have a clear picture of the role and value that each part of the orgnization brings. If the message is too detailed or vague, or if the subject is too specialist they can struggle to “get it”. As the OSPO, you need to communicate the strategic value of open source and of the work the OSPO does to manage it. Showcasing visible benefits through case studies, success stories, or numerical reports can help to cut through with a clear and simple presentation that demonstrates OSPO initiatives are delivering with key organizational priorities.

Resources and Footnotes

Resources

• Log4Shell real vulnerability example: https://en.wikipedia.org/wiki/Log4Shell
• Open source and the software supply chain - John Mark Walker: https://opensource.com/article/16/12/open-source-software-supply-chain
• Strategy: End Game for FINOS Maturity Model - Victor Lu: https://docs.google.com/presentation/d/1jJtR6-fvU-dCrGq_gTm4P1Awv90oCu4RClj1919970A/edit#slide=id.g1ed9ae7029f_0_29
• Securing the Software Supply Chain: The Role of OSPOs - Jessica Marz: https://www.intel.com/content/www/us/en/developer/articles/community/securing-software-supply-chain-the-role-of-ospo.html
• Simple Frequently Asked Questions OSPO Guide - OSPO SWG Japan: https://qiita.com/owada-k/items/017d1b98d0e437766bd0
• The Business Value of the OSPO Report - Linux Foundation: https://www.linuxfoundation.org/research/business-value-of-ospo
• EC Open Source Programme Office - European Commission Joinup: https://joinup.ec.europa.eu/collection/ec-ospo
• Public Services Should Sustain Critical Open Source Software - FOSSEPS: https://joinup.ec.europa.eu/collection/ec-ospo
• How Governments Want to Use OSPOs to Transform Themselves - Sivan Pätsch: https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/growing-case-ospos-government
• Open Source Security and Risk Analysis Report 2022 - Synopsys: https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html
• Open Technology - Scheerder, Jeroen & Koymans: https://www.researchgate.net/publication/254920512_Open_Technology#pf7
• The Pros and Cons of Open Source Software - Khalil Khalaf: https://medium.com/@kylekhalaf/the-pros-and-cons-of-open-source-software-d498304f2a95

Footnotes