Evaluating Business Risk for Open Source Cloud Native Projects

The talk discusses the importance of evaluating business risk for open source cloud native projects and provides practical advice on how to assess risk and evaluate projects for an organization while also learning about ways to decrease risk in their own projects.

• Projects with a strong user base are less likely to be abandoned, reducing the risk of disruption to a business
• Open source projects have more people who can view the source code for the purpose of fixing security issues, leading to innovation and diversity of ideas
• Regular releases and quick patching of security vulnerabilities, along with a solid process for allowing anyone to privately report vulnerabilities, are indicators of a lower risk project
• Projects should have appropriate licensing documentation, a code of conduct, contribution documents, and a clearly defined communication process to mitigate risks
• The community is a crucial factor in the success of an open source project, and a culture of treating each other with respect and kindness is indicative of a lower risk project

The OpenSSL security bug crisis highlighted the importance of evaluating risk for open source projects, as the widely used software had almost no resources to maintain it. Evaluating risk is important because it can disrupt a business, and it is crucial to think about risk as being on a continuum, with no project or technology being completely without risk.

Most business decisions boil down to an assessment of risk and making tradeoffs. We should all be thinking about risks relative to how we’re using cloud native open source projects within our business. If we build our business on top of an open source technology, we want it to be as low of a risk as possible. This talk will: * Compare the risk between projects under neutral foundations vs. those owned by individual companies. * Provide details about how governance impacts risk relative to leadership selection, decision-making processes, and communication. * Evaluate business risk in terms of contributors and organizations to determine the level of risk associated with individuals or organizations leaving the project. * Look at how security and release processes can impact risk. The audience will walk away with practical advice about how to assess risk and evaluate projects for your organization while also learning about ways to decrease risk in your own projects.