6. Standardize on a Common Set of Open Source Components
Lower maintenance costs by reducing the number of components that need to be supported. Limit the number of components that need to be evaluated as well.
7. Analyze and Continuously Monitor All Applications
To indentify security vulnerabilities and licensing issues, examine the complete bill of materials for your applications, not just first-level dependencies. Flawed components may be hidden deep within your applications. When vulnerabilities are discovered, quickly analyze and repair them.
Analyze existing applications too, not just new ones -- it's never too late to find and fix issues. For mission-critical applications, you might consider using heavyweight scanners that examine the complete source code.
8. Establish Well-Defined Channels of Acquisition for Each Open Source Component
You must have a trusted source for each component, such as the Central Repository.
9. Establish a Policy of Service and Support
Determine the level of support required and identify the resources required. For some projects, community-based support will be fine. Others will demand commercial service and support contracts with binding SLAs.
10. Benchmark Your Current Usage of Open Source Components
Benchmarking will help you understand where you are starting from and set realistic goals:
- Evaluate compliance to existing open source policies.
- Identify which groups are using open source components, including what they are downloading from outside sources.
- Identify problematic components being used in applications that are in development or in production.
- Classify existing projects based on business importance to identify potential risks and provide a mechanism to establish the role and value of OSS within your organization's existing software portfolio.