:warning: A small corporate softball piece originally posted on LinkedIn. Republished here for posterity(?). Note to self, hire an editor.

What’s in your software product?

Today’s software ecosystem is built on widely available free open source software (FOSS) stored for consumption at sites like GitHub.com, Bitbucket, StackOverflow and a wide variety of package managers. Startups and Fortune 100 enterprises alike have benefited tremendously from this arrangement; new projects can focus on the value-add proposition and not re-inventing the wheel.

This explosion of open source packages has introduced a new problem: “what is being bundled into my software products?”. Like any port of entry, consuming these 3rd party software packages require an inspection of goods. For more details on the perils of trusting the internet look no further than this study recently published by the Core Infrastructure Initiative. It identified that ‘Seven of the top ten most used software packages were hosted under individual accounts.’ If this sounds at all familiar, look no further than the 2016 “left-pad” package that ‘broke’ the internet.

Even the simplest Angular.io hero application requires 12 core dependencies and results in ~870 installed node module packages! Any team could spend its entire time worrying about publicly hosted packages, or it could implement a few simple steps to mitigate this risk.

Fork the target open source project and maintain a sync version. Stay current and update the forked repository after confirming the latest code is what it purports to be. Leverage an open source scanning solution like Black Duck or CheckMarx to systematically review and mitigate the risk of open source software defects. Form an Open Source stewardship committee to oversee the consumption and contribution back to Open Source Software. All contributions count! Even bug reports, documentation contributions and issue triage. Taking these three simple steps has improved cross-team communication, innovation and security at Paychex. Learn more about our open source contributions at https://github.com/Paychex

Opinions expressed are solely my own and do not express the views or opinions of my employer.

Significant revisions

tags: 2024, linkedin, open-source, business