Open source in the enterprise – GitHub Satellite 2019

hello everybody hi I am so excited to be here I don’t know about you all this is my first time in in Berlin also so I’m so grateful to be here talking with you all today about what we’ve and going in a little bit deeper into what we’ve been working on but I don’t know about you guys I was sitting up here in the front row watching that keynote and I swear I wasn’t crying I wasn’t tearing up that was so inspiring and what I’m going to talk about today is using open source in your enterprise and really using github to run your open source program office and I’m going to start by telling you a story on a spring evening in 1964 in Alaska would people were getting home from work and families were just kind of starting to settle in for the evening maybe they were thinking about what they were going to cook for dinner precisely at 5:35 p.m.

Alaska time a megathrust earthquake struck off the coast of Alaska a little south east of Anchorage now that earthquake lasted about five minutes that’s a really long time for an earthquake to be shaking I haven’t even been up here talking for a minute and that earthquake would still be going on it registered a 9.2 on the Richter scale and that makes it the most powerful earthquake ever recorded in the United States history and the second most powerful ever recorded in the world and that earthquake spanned a radius of about 1.3 kilometers and the effects were felt far beyond the borders of Alaska in Seattle there were reports of the Space Needle swaying back and forth that earthquake was so powerful that almost every single state that had a Richter scale in the United States registered all the way to New York City and it kicked off a whole series of tsunamis that spread throughout the Pacific Ocean all the way down the coast of British Columbia into Washington Oregon California it affected Hawaii and even even Japan and it even raised sea levels in Australia and what happened in the subsequent weeks after that earthquake struck was thousands of strong aftershocks kept on going and going some of these were recorded at 6.2 on the Richter scale which in and of itself is a massive aftershock so do you think the citizens of Alaska at that time when they were sitting down to dinner do you think they knew that that earthquake was going to happen so I actually grew up in Alaska and preparing for that inevitable earthquake it’s something that I’m super familiar with in fact my parents were in Alaska in 1964 they lived in Anchorage and they both survived that earthquake they loved telling me about all of the things that they lost in their house they didn’t lose anything that big I think my father lost a jar of peanut butter and my mother lost a couple paintings off the wall but they still talk about that to this day they call it the Great Alaska big one and the thing about earthquakes is you definitely cannot predict them and you can’t prevent them so what we do is we prepare ourselves we make a plan so we know what to do when whether we’re at home or at school or at work so we can get back together with our friends and family and make sure that they’re okay also and we do something called building a an earthquake kit and in this earthquake kit it has all of the emergency materials that we might need the earthquake happens so that we can take care and start to rebuild and then we stay informed so that we know what’s happening all around us what’s going on with all of the aftershocks etc now today I live in San Francisco so earthquakes are still a really big part of my life and because I live in a high-risk area I really need to be able to stay abreast of earthquake news and information so that I can better be prepared for a possible earthquake that might impact my neighborhood and there’s another place I live that can sometimes be affected by unpredictable and unpreventable events and I think all of us in this room share this we also live online writing and building software and just like living in an area that’s prone to unpredictable events like earthquakes that require some some preparation writing and using software can also be high-risk and prone to security events so we need to be prepared we need to make ourselves aware of where we’re susceptible to security breaches in the keynote this morning we just heard NAT and the team talk a lot about the interconnected community and when you’re using open-source in your enterprise you may think you’re using just one package or just one component but that component actually depends on many other ones and this can leave you feeling like it’s really challenging to manage all of those integrations however these components are all powered by that interconnected community and that’s much larger and much broader than your team and that brings a lot more to the table than just the code itself so looking at an example here we’re looking at lodash which is one of the most popular JavaScript utility libraries there are 280 contribute – low – and almost three and a half million developers using it for their projects every single my open source library has a similar breath in reach so when you look at modern art sometimes people would look at this and think yeah I could do that I could probably take some paint I can put it on a canvas and I think I could probably create something that’s a lot like that but actually massive amounts of time and expertise and study and energy and collaboration go into creating a piece of artwork so this family that’s looking at this they’re not looking at just some paint on a canvas they’re looking at all the time that went into creating a masterpiece 99% of software projects today have open source dependencies and developers are handling more code integrations than they ever have before and by using open source libraries you’re leveraging not just the code itself you get more code coverage more documentation and ultimately you get more time for your team you and your teams to think about building products so as we use more open source the complexity also shifts from thinking about the code to thinking about things like licenses and versions and vulnerabilities it’s not enough today to check all of that information for on your dependencies at the time that you put them into your product or into your project you’ve got to be constantly vigilant and staying on top of the ever changing security landscape and often the teams that are staying informed in your organization these are people in the open-source program office and this is an entity in your company that sets up policies and processes and really these are the people that work for you and your team’s that are driving culture change about open-source engagement and you may already have people who are doing this but you might not call it a nos PO and these are really people who are advocating for open-source sometimes it’s the office of the CTO and whether you’re just getting started with an open-source program office or you’ve been doing this for a while there’s a lot of really great information available for getting started and managing open source programs in your organization and so these are two of the resources that I really like to use one is the to do group and the other is open source guides the to do group is an open group of companies who want to collaborate on practices and tools and other ways to run successful effective open source projects and programs and open source guides are a collection of resources for individuals for communities and companies who want to learn how to run and contribute to an open source project so I definitely encourage you to check these out so when we’re thinking about an osco there are some basics that I want I want you to remember and walk away from what is an ospa really need to be effective and so this is really getting at the core of it and that all starts with policies that minimize friction what we’re looking at for this is really the minimum possible policy that gets at your core risks and your core concerns and you want these these policies to be automatable oftentimes this is a small team in the AA SPO who is working on this across your much larger organization and so you want to empower them across the organization so that you can get as much data and information as you can and so you need things like license data security vulnerabilities test coverage etc and then the osco really needs tools do you get gain insights into everything that they’re using or that you’re using across your organization you cross those tools with the data and then you can understand where you might be vulnerable and where you might have to go into an organization and enact some of your policies and so these are just some of the basics of what an auspi needs and we’re working with a lot with some of our partners in the space to bring relevant and more critical information to every enterprise using open source you heard about one of them this morning in the keynote keynote shank you mentioned white source and white source is really working to bring security vulnerability data to organizations at scale so that you can better understand what’s going on with your open source so speaking of the tools that the Osmo needs to be successful I want to show you a little bit more about what we’ve been working on to bring visibility about dependencies inside of your project so this is a demo organization that we put together to show a little bit more about dependency insights we know that today enterprises use a lot of open source code and managing those dependencies can sometimes be a challenge sometimes I’ve seen people try to manage dependencies and spreadsheets before sometimes so what we really want to do is is empower people to get break out of the spreadsheet so dependency insights really helps you understand the dependencies that might be putting your business at risk so you need to be able to do this in a super easy and efficient way across your organizations here I’m going to drill into a drill into dependency insights and look at my test organization a little bit more I can see everything a tagged little ‘evil I can see the licenses but what I’m really interested in is what’s going on with my critical vulnerabilities and so I’m going to click into this bar graph and this actually filters everything by what I want to focus on first which is all of those critical security vulnerabilities and I’m gonna look at this first one action view I can already start to pick up a little bit more information about this I can see it has two security advisories issued for it and I’m gonna go and look at its dependence and right away I can see this version has an active security advisory and should not be used I get a little bit more information about where it’s being used inside my organization and what the recent versions are and I can see exactly where my teams are using this across my org now I don’t know what action view is and so I’m gonna click into the description and I’m gonna go read a little bit more about what this is so I know what my team’s might be using it for I see license information I see I see the description and but what I really came here for is to look at security so I’m going to click over to the security tab and as I’m scrolling down I immediately see information from the CVE that was issued for this component and I can see the impact that it made I can see releases and I get information about workarounds and I can also see who to credit for all of this information so that was drilling into the information about a particular component but if I have multiple organizations within my enterprise I really want to be able to look across my whole business and zoom out to see dependencies dependency insights across all of the organizations that I manage so that I can see all this information at scale so what we’re looking at here is a way to really spice and dice the information about and maybe serve my broader reporting needs for example I might want to search across every single organization in my enterprise and for a particular license usage that might be going against my company’s policy so on the organization view of dependency insights I can search for a specific license type here I’m searching for a gplv3 and see whether or not any of the projects or see whether or not anybody’s using a project that has this particular license and I can do that instead of going into every single organization and spending a day trying to research and find where this might show up I can do that from from this view across all of my organizations so we know that we can’t prevent security breaches just like we can’t prevent earthquakes they happen they’re a fact of innovation and software development but what we can do is provide enterprises with the right with we can believe it can provide enterprises with all of the tools that that they need to understand their dependencies and the code complexity we can arm ourselves with what we need to really be prepared so after that 1964 earthquake in Alaska scientists learned a lot about how to better prepare they were actually able to implement a broad earthquake monitoring system that gathered data to help engineers develop earthquake resistant structures that help to limit property damage and and injuries and also this thing called the tsunami warning center was created and this gives everybody who might be impacted by a tsunami that much broader range of who could be impacted by an earthquake this gives them information about what to do in case in case one happens so we can learn a lot from security risks just like these scientists learned from what was going on after that earthquake hit and we have but we have to really be paying attention to what’s going on and so what dependency insights is giving you is all of the data and all of the information that you need to go in and understand everything that that all of the open source across your whole organization so today we saw several things being announced in the security space but really we’re we’re just getting started and we’re really looking forward to learning just like those scientists in Alaska to learning about how you’re using open source in your organization’s what you might need how you might want to start using dependency insights and working with you to continue to build these tools so that they work very effectively for you and your organization’s on your projects so if you’re interested in this space I encourage you to reach out to us there are a lot of people here today who worked on these projects there’s a lot of talks throughout the day as well there’s one this afternoon about security vulnerabilities from Justin Hutchings and Brian Clark definitely encourage you to go check that one out and I think Jeff Mike Haffer is also in the audience Jeff can you raise your hand we just right over here can you stand up Jeff Jeff mccafferty kia hub to really understand what a NOS Kony’s debt scale and so Jeff and I after this talk we are going to head downstairs to the github ask product area and I want you all to come and we have a couple of demo computers down there I want you to all come and get some hands-on with these tools and we can walk through some of the scenarios that you might have and then and answer some questions about what is powering dependency insights and what how else you could slice and dice this data so please come talk to me and Jeff afterwards there are also some people who worked on this and built this downstairs as well so I want to thank you all for being here and enjoy dependency insights thank you so much

Leave a Reply

Your email address will not be published. Required fields are marked *