Sharing Capital One’s open source journey during OSCON 2020
Open source in a highly regulated industry
Conferences certainly look a little different in 2020. I have had the pleasure of speaking at a few virtual events this spring and summer, which, in addition to engaging with the open source community, has given my home office a nice face lift. My most recent talk was part of Capital One’s sponsorship of the OSCON Open Source Software Superstream event, “Cloud Strategies and Implementation.”
My talk specifically focused on fostering an open environment for developers in a regulated industry. With the institutional advantage of navigating a public-cloud migration in a highly regulated industry, Capital One has created an innovative, low-friction environment for developers. During the talk, I discussed how Capital One accelerated its cloud-first vision while balancing developers’ open source needs with regulatory requirements.
Here is a little bit of what I covered off during the session:
It takes a commitment to open-source first
Open source software has changed how we think of culture, collaboration, partnership, community building, and how we hold discussions about development best practices. That’s why Capital One takes an open source-first approach to software development and participates in the open source community.
We’ve seen through our use of open source software that we are able to innovate more quickly by leveraging the talents of developer communities worldwide, and we can influence the product roadmap by providing leadership in communities.
Focus on open source governance and culture
Around five years ago, Capital One established an Open Source Program Office to set standards around process, technical review, licensing, compliance, risk, legal, communications, and other elements related to open source use. I lead a team that works to provide an easy, seamless process for contributing to open source projects and manage a well-defined process for launching and managing open source projects.
The most challenging part of managing open source contributions for a company in a highly regulated industry is building the technology, governance structure and supportive culture. Many financial institutions have structural barriers to participating in open source - legacy systems that have been used for 20 years. You first need to have the technology in place to send open source code outside of the corporate firewall.
It also takes time to develop a process where code is reviewed by all key stakeholders, and a culture where these stakeholders understand the perceived risks such as loss of intellectual property, competitiveness or productivity.
Understand how open source improves the quality of code
The security benefits of open source software stem directly from its openness. Known as the “many eyeballs” theory, it explains what we instinctively know to be true – that an operating system or application will be more secure when you can inspect the code, share it with experts and other members of your user community, identify potential problems and create fixes quickly.
In most instances, the people scrutinizing the code share a genuine interest in it that drives them to examine it closely, learn how it works and why problems occur, try to resolve any problems they find, and create a usable fix that they are eager to share with the rest of the user community
By becoming active in open source communities and investing in their sustainability, we can increase the quality of code produced - before it lands on our production systems.
The overall OSCON Superstream event provided attendees with an overarching perspective of software development from which to make decisions that strengthen and grow companies and industries, a deep knowledge of key open source technologies to make it happen, and a community in which both they and their companies can thrive.