25–27 Oct 2024
The Hague, Netherlands
Europe/Amsterdam timezone

Shining Light on the Open Source Supply Chain: The Risk in Community Health

25 Oct 2024, 16:30
25m
KWA - Plenary room (World Forum The Hague)

KWA - Plenary room

World Forum The Hague

1000
Show room on map
Talk (25 Minutes) Security

Speakers

Georg Link (he/him/his)
Bitergia
Luis Cañas-Díaz (He/Him)
Bitergia

Description

Organizations are increasingly reliant on open-source software (OSS) to accelerate development and reduce costs. However, the health of the communities behind these projects is often overlooked, posing significant risks to the overall supply chain. This talk introduces the open source tool GrimoireLab that can shine lights onto those dark corners of your open source supply chain. We will also show how GrimoireLab was used in a novel Risk Assessment Model for the Maturity and Sustainability of open source dependencies, designed to address this critical challenge.

By using the GrimoireLab tool, combining concepts from the CHAOSS project and cloud-native deployment maturity models, our approach goes beyond traditional Software Bill of Materials (SBOM) analysis to evaluate the ongoing maintenance activity and community health of OSS projects. This enables organizations to:
- Assess the long-term viability of their open source dependencies.
- Make informed decisions about library selection and integration.
- Proactively mitigate risks associated with unhealthy or unsustainable communities.

This talk will delve into the model's design and implementation with GrimoireLab, using Kubernetes as a case study. By adopting this approach, organizations can build a more resilient and sustainable software foundation, ensuring the long-term health of their open source supply chain.

Presentation materials