As we see an increase in use of open source software, a well-managed supply chain and secure software delivery pipelines are critical for business success, according to Nureen D’Souza, leader of Capital One’s Open-Source Program Office and speaker at cdCon 2022.
“It’s important to implement a company-wide culture with security ingrained that allows developers to focus on innovation and value-add features instead of software maintenance chores,” said D’Souza.
As part of a 10-year technology transformation, Capital One made an open-source first declaration in 2015. “Today, our modern architecture is allowing Capital One to take advantage of the world’s innovations and accelerate delivery by committing to a collaborative software-building approach,” said D’Souza.
The biggest challenge in managing the software supply chain is governing an ever growing amount of tools, languages, frameworks, and connectability methods, according to D’Souza. Amidst these complexities, Capital One has incorporated standardization, automation, and ecosystem sustainability into the charter of the Open Source Program Office.
According to D’Souza, Capital One has established a well-defined process to use, launch, maintain and contribute to open source software responsibly. These standards provide developers with guardrails and reinforce the appropriate behaviors.
“Establishing well-managed processes around security, compliance, privacy and transparency are vital to open source software development,” said D’Souza.
Applications need defenses to protect them from malicious actors and compliance policies to ensure controls adherence. Organizations can also protect sensitive information by establishing privacy standards. To make software behavior observable and verifiable, a well-managed process can ensure the health and security posture of applications through metadata.
D’Souza also stressed the importance of automation in DevSecOps as a significant benefit of shifting security left in the development process. She emphasizes these important principles:
- Policies: Automate policies at the beginning of the development process to make open source software easy to use;
- Orchestration: Maintain infrastructure by creating orchestration for repeatable tasks such as version upgrades, new patches, etc.
- Actionable Insights: Create an application inventory or Software Bill of Materials to let developers know what is in each release build;
- Code Review: Design an automated code review process to increase the quality of code before it is released;
- Requirements: Automate all functional and non-functional requirements;
“By automating various tasks throughout the software delivery pipeline you mitigate risk,” said D’Souza.
Open-source software creates tremendous value for technology companies because they can share the costs of creating and maintaining the core infrastructure. Sustaining these critical assets demands a high number of talented contributors forming nurturing communities.
To sustain this ecosystem, D’Souza recommends identifying the open source solutions that your company depends on and contributing to those projects maintained by foundations. “This is a great way to solve problems collectively,” she said. D’Souza also stressed the importance of contributing upstream to avoid reacting to issues downstream.
Capital One teams have released more than 25 open source projects and made more than 2,000 contributions to approximately 100 different projects that the company depends on and works collectively to solve software supply chain problems.
“All of this work contributes to an improved developer experience by allowing engineers to focus on what they do best,” said D’Souza.