CASE STUDY: ESTABLISHING AN OPEN SOURCE PROGRAM
Executive summary
In this case study, I explore the creation of Disney’s Open Source Program and the introduction of Open Source culture at The Walt Disney Company. A lack of understanding of the critical nature of Open Source meant that risk from the use of Open Source Software (OSS) at Disney was not managed, and developers faced obstacles in using OSS and engaging with the Open Source Community. By establishing Disney’s Open Source Program, I brought Open Source culture to the company that both enabled developers and managed risk.
Context
Open Source Software (OSS) is the pervasive foundation upon which applications and services are built. On average, 80% of a typical application is OSS. With the majority of the code being developed by software engineers outside a company, enterprises must establish programs and processes for governing the use of OSS.
Understanding Open Source Risk
When I joined Disney in 2010, I was surprised to find that the company did not have an Open Source program. While there was a process for reviewing and approving the use of OSS components, this was not used by the majority of developers; less than 0.3% of the OSS in use at the company had been reviewed and approved. The review process omitted a security review, a key facet of any OSS approval process. I also learned that there was no approval process for developers to contribute to Open Source projects, or to release software as Open Source. As a result, developers were making their own decisions about their use of OSS, and generally not engaging with the Open Source community.
The lack of Open Source governance was exposing the company to legal, IP, and security risks. It was clear that Disney needed a new approach to Open Source.
Proving the value
My initial strategy was to address the glaring lack of security vulnerability analysis by introducing a Software Composition Analysis (SCA) tool to scan Disney-developed applications. With SCA in place, I was able to immediately analyze 1,000 applications. This identified a vast number of security vulnerabilities, many of which were critical in severity. With a breakdown of vulnerabilities across applications, I was able to focus remediation efforts on the most severe security issues in critical guest-facing applications and mission-critical foundational services. By shining a light on previously unknown security issues and reducing risk, I was able to obtain CIO buy-in for the larger goal of establishing an enterprise-wide Open Source program.
Building an Open Source Program
A key consideration in the development of an Open Source program for Disney was that it had to work for developers, the employees who were actually working with OSS. In a global enterprise such as Disney, comprising 30,000+ engineers, successful adoption required developers to choose to use the program rather than bypass it. A heavy-handed top-down mandate from Corporate Legal would not work. I adopted a philosophy that the program’s theme must be about developer enablement, rather than control and enforcement.
The program also needed to encompass all facets of risk associated with OSS. Therefore, I formed a working group that included representatives from legal, patent/IP, security, and technical domains. I recruited volunteers from across Disney’s business who were passionate and opinionated about OSS units to provide broad perspectives. I included advocates and naysayers, as well as representatives from organizations that had existing OSS approval processes in place, or who were fiercely independent and resistant to embracing a corporate program. This diverse group, with differing perspectives, generated heated discourse that ultimately improved the program.
For example, I met with vocal, strongly-held opinions about the contribution of Disney-developed code to Open Source projects. A patent legal attorney was adamant that all code developed by Disney engineers was proprietary and could not be distributed outside the company. This led to a valuable discussion about what source code should be considered highly proprietary, versus other code that could be freely distributed. The patent attorney’s concern was that without a review process in place, developers might either inadvertently release a patented method as OSS, thus negating the value of the patent, or they might release trade secrets. Consequently, the review process for the distribution of source code established a patent review by Disney’s Patent Committee.
I led the working group in the exploration areas of risk and mitigation strategies, and developed review and approval processes to ensure that all areas of concern would be addressed. Throughout this process, I kept the group focused on developer enablement, which I institutionalized in the form of an Open Source Manifesto; a document that laid out the program’s guiding principles of enabling developers while managing risk.
The need for policy
While I did not initially plan on establishing a formal Open Source policy, I realized that for the program to be effective, the principles we defined in the working group needed to be institutionalized at the highest level as Company Policy. We therefore defined Disney’s Open Source Software Policy that formally established principles and obligations for all Disney employees working with Open Source. This was signed off by Disney’s Chief Legal Counsel, established as Company Policy, and endorsed by Disney’s CIO.
Applying the policy
With the policy in place, I formed an Open Source Program Office (OSPO) to implement the policy as an enterprise-wide program. Like the working group, I staffed the OSPO with members from the same functional areas, including business unit technical representatives to represent the needs of developers in their organizations.
When creating programs and processes there’s a risk of creating bureaucratic friction. It’s a truism that the more control you try to exert, the less policy-adherence you’ll achieve. Onerous processes drive people to find ways to bypass them, reducing compliance, and working contrary to the goal of controlling risk. Therefore, I made continuous improvement a key tenet of the OSPO. I challenged the group to continually find ways to eliminate friction, streamline and automate approval processes, and engage in Voice of the Customer initiatives.
In one example, we discovered that folklore had evolved about the release of software as Open Source. I quickly took steps to address this by meeting with developers and initiating an educational campaign and webinars to encourage developers to release software as Open Source and explaining how to do it. To underline the Company’s commitment to the Open Source community the OSPO celebrated every Disney Open Source Project release from that point onwards.
Summary
Ultimately, I changed the culture at Disney to one that embraced Open Source and enabled and encouraged Disney’s employees to fully engage in the Open Source Community, consuming OSS, contributing to projects, and releasing Disney software as Open Source. An inclusive approach that considered all perspectives, and a manifesto that kept the program true to mission were key elements in the success of the Open Source Program.