For OSS selection, eSimplicity evaluates the viability, maintainability, security, and privacy of the open-source community. We assess if this is an actual open source community or this is a solution from a commercial vendor to step adopters into a commercial product. We assess the viability of the community and the diversity of membership. Larger projects can adopt hundreds, if not thousands, of OSS components; this is not manageable at scale.
OSS inventory management
Concerning OSS inventory management, eSimplicity designs solutions with defined OSS inventory compliance rules. Within our DevSecOps pipeline, we use tools like BlackDuck or Nexus open source to manage OSS scanning, license compliance, security and defect tracking, upgrades, and specific allowable packages.
OSS migration or development
Lastly, when migrating a commercial off-the-shelf (COTS) product or a database to OSS solution, eSimplicity finds it is best to isolate functions by business boundary to refactor and validate incrementally.
OSS security and privacy
eSimplicity chooses OSS by evaluating specific attributes of a project, based on the sensitivity of the component. We first consider the size and diversity of the community that created it. Secondly, we examine the security and functionality of the software based on bug reports, security scans and new feature process. Finally, we evaluate the licensing requirements. Once an OSS component is selected, additional steps is used within the DevSecOps pipeline to ensure adherence to project security and the authority to operate mandates. Picking a piece of OSS at one point in time does not mean that the same component is viable 6 months later. Adoption of tools, like BlackDuck or Nexus, to manage OSS inventory should be a requirement when OSS is involved. eSimplicity uses these tools to achieve two objectives: (1) support decision making for operation, release, and communication, and (2) provide documented enforcement for compliance and governance.