Skip to main content

Importance of Open Source in High-Compliance Organizations

By February 23, 2023Blog, Community

Contributed by Matheus Paes Pereira, Garima Bajpai, and MoĂŻse Kameni

Open source technologies have become increasingly popular, especially in highly-regulated industries such as aviation, banking, healthcare, energy, and defense. It has partially gained momentum due to the adoption of modern software delivery practices, which enable incremental software releases in a fast and reliable way. Significant advancement in open source tooling has helped the adoption of continuous delivery at scale. 

As organizations start to reap big benefits from the adoption of continuous delivery, it is evident that open source tooling is the new normal. If we focus on the highly-regulated sector, there are compelling advantages to reducing barriers to adopting open source technologies. However, these industries have unique requirements for security, reliability, and compliance, making it challenging to adopt new technologies. There are also several considerations that organizations should take into account when adopting open source technologies in these environments. 

Adopting Open Source Technologies

Adopting open source technologies in highly-regulated environments can bring many benefits, such as continuous compliance to adhere to evolving regulations, cost optimization, flexibility, and access to a large community of developers. Through this blog, we present some key considerations with examples to simplify the adoption of open source tools and technologies for continuous delivery and provide support for the highly-regulated sector.

Continuous Compliance

Highly-regulated industries have strict requirements for compliance with laws and regulations, and it’s essential to ensure that open source technologies used in these environments meet those requirements. Organizations should carefully evaluate the software for compliance with industry regulations and standards, and ensure that any necessary certifications or approvals have been obtained. 

Policy-as-code tools such as Open Policy Agent (OPA, pronounced “oh-pa”), a Cloud Native Computing Foundation (CNCF) incubating project, is one of the projects that can facilitate continuous compliance It is a unified way to implement policies for microservices, Kubernetes, Continuous Delivery/Continuous Integration (CI/CD) pipelines, API gateways, etc. in a declarative way.

Security

Assure that open source tools have been properly secured and that any vulnerabilities have been identified and addressed. Organizations should conduct regular security assessments and penetration testing and have a vulnerability management plan in place. For example, Pyrsia (pronounced “pir-see-ah”) is a decentralized package network to secure the software supply chain of open source dependencies by creating a system that secures open source builds and distribution. This is key to accelerating supply chain security across several different languages.  

Risk

Automating software development in regulated sectors may require initial due diligence. One of the most important considerations is to reduce risk continuously while delivering incremental features. The adoption of a well-architected platform that can provide automation while enabling the implementation of all the controls can save substantial amounts of time and effort. 

One of the most relevant open source tools for this is Tekton, an open source project that provides a platform for automating the software delivery pipeline. Tekton allows for building, testing, and deploying applications consistently and repeatedly. 

Tekton has been adopted by companies in various regulated industries to automate their software development process and increase efficiency. For example, in PicPay and Nubank which are from the financial services industry, Tekton automates the testing and deployment of software updates for banking, investing, and P2P exchange systems, ensuring that the software is reliable and meets safety requirements. Read more about this here: “How Tekton helped Nubank scale up” and “Why and Where to Start a Platform Engineering Team“.

Strategies to Adopt Open Source

Here are some tips for highly-regulated organizations that want to adopt open source technologies.

Best Practices

Open source software can offer more flexibility than proprietary software, but organizations should ensure that the tools can be easily integrated and customized to meet the specific needs of the organization. Make sure to assess quality indicators for open source. The Open Source Security Foundation’s (OpenSSF) Best Practices badge is one way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.

Trusted Supply-Chain 

Ensure to adopt open source tools & technologies from trusted ecosystems, it’s important to have a process for identifying and tracking open source components that are present in the software. Also, the process should be capable of handling open source obligations that are aligned with the organization’s overall business practices. Some guidance is available at https://openssf.org 

Skills to Execute

It is needless to state that critical skills and capacity build-up for the adoption of open source are essential for a successful implementation. While open source is free and open, substantial effort is required to maintain, adopt, and operate at scale. The critical skills can be partnered through a community of practitioners or in-house. Many open source tools in CI/CD space have a strong community behind them, also there are organizations like the CD Foundation which provide substantial support for the overall open source community of continuous delivery.

Interoperability and Standardization

cdevents

CI/CD practitioners have many tools at their disposal but it’s often the case that what we call a pipeline today won’t be called the same thing tomorrow, most of these tools exist in the open source landscape today. Consider the architectural components to enable loose coupling and avoid any vendor lock-in: CDF Interoperability SIG has been working on achieving interoperability within the CD ecosystem and one of the outcomes of their work is the CDEvents project — a project to Standardize events to be used in a CI/CD process. Additionally, the CDF Interoperability Special Interest Group (SIG) created a document to collect the basic terms used by CI/CD tools and technologies to work on establishing a shared vocabulary for us humans to communicate and collaborate better, eventually integrating it into CDEvents.

Automation

Automation leads to increased velocity and reduces risk by enabling fast feedback loops for the engineers. Think of provisioning your infrastructure and automating your compliance processes. GitOps is one of the practices that enables organizations to work with their infrastructure in an automated and declarative manner.

Consumption 

Building software is often not a core activity in highly-regulated organizations, luckily there are great solutions available on the market that address various business challenges. 

Maintain compliance by ensuring open source software you are consuming has a Software Bill of Materials (SBOMs). SBOMs provide transparency for all the software assets and are an important tool in securing your software supply chains.

Keep an Open Source Mindset

Promote an open source community within the organization to evaluate whether tools meet the needs of the organization, as well as contribute to open source projects to influence the roadmap of tools.

Open source can be an effective way to deliver the same value as a private solution while remaining compliant and being supported by a large community. Why start everything from scratch when you can lean on great existing technologies and innovate from there?  

Where to Start? 

The Linux Foundation has various communities that contribute to the efforts to advance the open source use and contribution for various regulated industries such as the LF Energy and the LF Networking, which you can follow and explore ways you could onboard.