Contributed by Nureen D’Souza, Director, Open Source Program Office, Capital One
Today some of the most ground-breaking digital experiences created for customers are based on open source software. Open source is appealing because it’s supported by the global developer community that continuously innovates and maintains the software. With the recent increase in adoption of open source software, businesses need a well-managed supply chain and secure software delivery pipelines to mitigate the inherent risks that are critical to realizing the benefits of open source software. As a highly-regulated company, Capital One has the institutional advantage of being seasoned in deftly navigating the challenges related to compliance and governance.
We’ve been able to adopt an “open source first” approach and maintain a healthy software supply chain by focusing on standardization, automation and ecosystem sustainability supported by our Open Source Program Office (OSPO). With a strong software supply chain, we can innovate more quickly; influence the product roadmap; gain access to a diverse pool of perspectives; and recruit and retain talent looking to build their expertise. We’re also keenly aware that this is an ever-evolving process and together with industry foundation partners we are making continuous improvements to our software supply chain.
It has taken time, but Capital One has established a well-defined process to use, launch, maintain and contribute to open source software responsibly. These standards provide developers with guardrails and reinforce the appropriate behaviors.
These standards for applications should focus on:
• Security: To defend and protect from malicious actors;
• Compliance: To adhere to required controls;
• Privacy: To protect sensitive information that should not be shared; and
• Transparency: To produce metadata—for example, about health and security posture—so that software behavior is observable and verifiable.
If a developer consumes a library, they need to know where it’s coming from or it becomes the weak link in your software supply chain and you have a compromised dependency.
DevSecOps automation is the most effective tool in our defense arsenal. Automation enables developers, infrastructure, and information security teams to focus on delivering value and reduces mistakes or replication of routine tasks that surface security issues in code.
We aim for transparency in our processes, particularly in the code we bring into our open source software projects and knowing the library’s history is core to our approach. It’s important to implement orchestration for repeatable tasks such as version upgrades and new patches; automate policies to make it easy to engage with open source software; and institute a Software Bill of Materials as an application inventory to know exactly what is in each release build.
We reinforce the importance of “Shifting Left” or finding and preventing defects earlier in the software delivery process. We can do this by providing developers with actionable insights for increased transparency. Shifting left results in better code quality at the time of production; vulnerability prevention at the source; and reduced remediation work.
Our OSPO invests significant time and energy in managing process and technology enhancements, but our most important work involves people. Establishing a culture of collaboration is vital for a healthy software supply chain and requires all hands on deck. Our OSPO works to bring together legal, compliance, risk, information security, marketing and leadership to create a culture of collaboration where everyone is aligned on the same mission.
A collaborative culture is equally important outside of Capital One. We encourage our developers to contribute to open source projects that our company depends on “upstream” to avoid downstream risk. In the past year, we’ve shared our own software with the open source community including Data Profiler, edgetest and rubicon-ml and we encourage contributions.
Open source software’s role in creating value for technology firms continues to grow because we share the costs of creating and maintaining core infrastructure. Sustaining these critical technology assets demands that a high number of talented contributors form communities around open source software to keep our software supply chain strong. We also help to shape industry and government efforts to strengthen the open source software supply chain by actively participating in the Continuous Delivery Foundation and organizations with a similar mission.
Nureen D’Souza is Director of the Open Source Program Office at Capital One and spoke about “Strengthening the Software Supply Chain” at cdCon 2022.