On June 7th, for the third year in a row, we hosted Upstream, a virtual, one-day celebration of open source, the developers who use it, and the maintainers who make it. It was our biggest Upstream yet, with hundreds of attendees joining us in discussions about the current state of open source and how to make it better for everyone.

In her Upstream talk entitled “Leveraging InnerSource practices to drive external Open Source solutions,” OSPO strategist and senior manager at Fannie Mae, Brittany Istenes, discusses leveraging open source software contributions within a secure InnerSource model and what the OSPO team at Fannie Mae has done to work upstream with open source software maintainers.

What is an OPSO?

An open source program office, or OSPO, advocates for open source engagement in a risk averse, highly regulated environment. Brittany provides more detail:

We partner with key stakeholders across the organization, such as: legal, InfoSec, risk, and our CISO partners. We have executives, technologists, managers, and everyone else that is impacted by all of the software development. We are central to a business function—90% of software and applications is derived from open source software. We have many responsibilities, but some of our core ones really are open source usage, InnerSource collaboration, and community.

What does an OSPO strategist do? 

In Brittany’s words, “I focus heavily on the contribution of open source outside of the company, regulations and policies of open source, the consumption of open source software, community building within special interest groups, and culture initiatives within communities of practice. I do a lot of policy and development work on our InnerSource program, and all of the gray areas in between.”

What is InnerSource?

InnerSource is a strategy where software development teams use open source practices with proprietary software. With InnerSource, teams can develop an open source community-like culture in their organization, meaning anyone from any team can contribute to the coding process which provides visibility, encourages collaboration, reduces redundancy, and breaks down silos across the organization.

Brittany goes on to describe the other benefits of InnerSource: “I want to give kudos to the InnerSource Commons community. This foundation is a fantastic space with technologists and pioneers trying to bring in that collaborative culture into their company. InnerSource is coming in force across enterprises large and small. We're creating and cultivating very healthy projects. And InnerSource methods, as mentioned, secure projects—more eyes on a project creates a very stable one. And it really does increase that innovation and improves the developer experience.”

How can an OSPO support these practices?

Some teams have InnerSource program offices (ISPOs), but many times these practices fall within the OSPO. Brittany shares how the OSPO team at Fannie Mae has applied InnerSource practices.

At Fannie Mae, we have dedicated team members for InnerSource to work on the facets of governance and for developing and making our software products great—but it falls in the OSPO. We focus on company culture by convincing teams that opening up their projects will make things more secure and stable. An OSPO is that conduit to bringing many teams together that otherwise would not know about the work that each one of them is doing.

We have targeted a way in which we are the detectives and finding the pieces to put that case together. And we're also the subject matter experts that teach teams how to work together and build their projects with the InnerSource mindset thinking first. We want to teach all folks to work together and we want to bring all projects—albeit even locked to a team—set up with that growth experience in mind. Breaking down silos is very important, because we don't necessarily want to continue on that repetition path.

How can we give back to the open source community?

In the wake of incidents such as Log4Shell, we’ve seen how much our software supply chain relies on the work of, often unpaid, volunteer open source maintainers. If we want to secure the open source software supply chain, we need to work with maintainers and support them. As Brittany puts it, “We still need to be with our maintainers. Our maintainers are the people that are doing the work and trying to keep up with the demand. We want to make sure that we support them, and our maintainer community needs the support.” 

Brittany also shares how Fannie Mae is ensuring that they’re not just consuming, but that they’re working to help the community in their development processes:

You need a clean version of a particular dependency in order to consume it, because there are different sorts of regulations that each particular enterprise has in place—and we're going upstream for a solution with the Clean Dependency Project. This is the very first project that Fannie Mae has released into the open.

Our main goal is that we'll create our own internal maintainers to advocate for the project, and then as we make these fixes, we're going to be giving back to the core maintainers. We're using this concept to bring these fixes in internally. Teams are working together to identify the need within their development scope, and we're applying all of these particular needs into the Clean Dependency Project and really taking this upstream problem solving solution for our dependency and vulnerability management. We're proactively identifying and modifying dependency sources and cleaning them, and then making them available.

To learn more on how to apply InnerSource practices in your OSPO, the implementation of the Clean Dependency Project, why alignment matters, and more you can watch Brittany's Upstream talk here.