eSimplicity recently released an MVP with microservices and 300 open-source software (OSS) libraries to multiple lines of business at the Center for Medicare & Medicaid Services (CMS) in 90 days from concept inception to Authority to Operation (ATO) and launch. We summarize our best practices into OSS selection, OSS inventory management, and development/migration. With hundreds of credible OSS libraries for use, there is no way a team can test every single library one by one before adopting. It requires an experienced team to use their previous experience, read the OSS description, assess the community, use tools to scan for security and privacy, and test groups of solutions together before adopting.
For OSS selection, eSimplicity evaluates the viability, maintainability, security, and privacy of the open-source community. We assess if this is an actual open source community or this is a solution from a commercial vendor to step adopters into a commercial product. We assess the viability of the community and the diversity of membership. Larger projects can adopt hundreds, if not thousands, of OSS components; this is not manageable at scale.
Concerning OSS inventory management, eSimplicity designs solutions with defined OSS inventory compliance rules. Within our DevSecOps pipeline, we use tools like BlackDuck or Nexus open source to manage OSS scanning, license compliance, security and defect tracking, upgrades, and specific allowable packages.
Lastly, when migrating a commercial off-the-shelf (COTS) product or a database to OSS solution, eSimplicity finds it is best to isolate functions by business boundary to refactor and validate incrementally.
eSimplicity chooses OSS by evaluating specific attributes of a project, based on the sensitivity of the component. We first consider the size and diversity of the community that created it. Secondly, we examine the security and functionality of the software based on bug reports, security scans and new feature process. Finally, we evaluate the licensing requirements. Once an OSS component is selected, additional steps is used within the DevSecOps pipeline to ensure adherence to project security and the authority to operate mandates. Picking a piece of OSS at one point in time does not mean that the same component is viable 6 months later. Adoption of tools, like BlackDuck or Nexus, to manage OSS inventory should be a requirement when OSS is involved. eSimplicity uses these tools to achieve two objectives: (1) support decision making for operation, release, and communication, and (2) provide documented enforcement for compliance and governance.
