TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Open Source

How American Express Created an Open Source Program Office

American Express has established an open source program office that gamifies the safe development of open source code that can be poured back into the community.
Nov 24th, 2023 4:00am by
Featued image for: How American Express Created an Open Source Program Office

Financial firms are injecting a healthy dose of open source software into IT environments as they slowly cut their reliance on proprietary software.

The open source adoption has especially picked up in the last three years as companies finish mapping out software dependencies and audit processes to minimize software risk.

Banks and investment firms cannot jump into open source as easily as cloud native companies as the sector is highly regulated with tight controls,

About 78% of financial firms derived value from open source software, growing from 62% last year, according to a survey released last month by Fintech Open Source Foundation, which is run by Linux Foundation.

“Open source offers financial service entities avenues for reducing IT infrastructure costs, expediting the release of digital applications, and maintaining a competitive edge in talent attraction and retention,” FINOS asserted in the survey.

Open Source Program Offices

Open source software is impactful enough that financial services companies are establishing open source program offices — also called OSPOs — dedicated to smoothly transitioning to open source.

“We’ve seen open source program offices are on the rise to the point that over 50% of respondents now work at an organization that has an open source program office,” said Gabriele Columbro, executive director at FINOS during the Open Source in Finance Forum (OSFF) conference held last month in New York City.

These offices are responsible for creating structured processes to use and contribute to open source. Contribution policies are becoming more permissive, Columbro said.

American Express OSPO

American Express has established an open source program office that gamifies the safe development of open source code that can be poured back into the community.

“Without the program existing, a lot of people at the company wouldn’t know about giving back to open source, they wouldn’t see the power in it,” said Amanda Chesin, software engineer at American Express, during a presentation at OSFF.

The AmEx OSPO started as an informal group of developers trying to establish a symbiotic relationship with the open source community, said Tim Klever, vice president of the development experience at AmEx, at the conference.

The first step was to convince the skeptical upper management of the value of open source. Security issues were the single largest concern among 56% of executives surveyed by FINOS. That was followed by quality of components, compliance with external regulations, and licensing of intellectual properties.

The developer enthusiasm around open source was also getting louder, and Klever convinced management to greenlight the OSPO. Klever got an intern in Chesin to set up and run the office, and she got to work.

“That’s really when we kind of became official because we had someone to worry about this stuff and work on it the whole time, even though we only got [her] for a summer,” Klever said.

Terms like “we do open source here” can be a major motivator to attract top talent, which was one of the selling points to management to create the OSPO. Open source contributions and getting mentioned in release notes help developers build credibility.

“Racking up like, ‘look, I’m doing all this great stuff for me,’ does not fit our definition of what we’re looking for. We’re talking about giving back to third parties, giving back to the people that support us,” Klever said.

There were many challenges getting OSPO started. The team had to identify developers within the AmEx ranks that could contribute to open source, and make sure they were provided with the resources and time to contribute.

“Getting like the legal language, IP rights stuff … and then having some kind of way for people to see what contributions they were making, that was, like, our minimum viable product,” Chesin said.

Klever and Chesin gamified OSPO with an internal website that maintains a leaderboard of the number of contributions that developers made to repositories.

“We created project and owner pages on our internal website to show people what projects are out there that people are contributing to. We … built this social thing as a way to connect,” Chesin said.

AmEx tapped into the open source Good First Issue project to welcome new open source contributors at AmEx. The open-source project guides developers to make their initial contributions to projects.

AmEx pulled data from Github APIs to quickly display projects that are easy grabs for developers to contribute, which could be as documentation or enhancements.

There are also visual representations so developers know where other AmEx developers are focusing their energy.

“We have an all-projects table where you can see most recent contributions from colleagues, what people have been contributing to, and where other people in the company are putting their time and effort,” Chesin said.

In 2020, AmEx management started formally funding the Open Source Project Office. In December 2020, OSPO hit the century mark of meeting a goal of 100 “socially responsible” contributors.

Klever explained “socially responsible” contribution as opening up an issue or pull request, making sure projects are not owned or maintained by the company, and licensing projects in such a way that it could be used internally while strengthening the project via contributions.

“We’re not just a feedback loop where we’re just contributing to our own projects. We’re actually giving back to other people, being good stewards of our community, making new friends,” Klever said.

The OSPO also has “open source days” with top leaders giving developers a break from their regular workday to contribute to open source.

AmEx is now making about six contributions a day, and in November 2022 became a member of FINOS, which has emerged as an open source tech association of record for financial institutions.

Capital One has a more serious OSPO, which focuses on around processes, security, compliance, and privacy, according to the FINOS survey.

“This includes automated scanning for all of our libraries prior to ingestion of open source software,” said Nureen D’Souza, director of the open source program office at Capital One.

The company documents the complicated matrix of software tools. That ensures that only active and regularly updated open source tools are used as abandoned projects could create gaps where malicious code to be injected into IT environments.

“For example, we try and understand the community health around each project – who is behind it and what kind of support does it have?” D’Souza said.

The Capital One OSPO also evaluates the licensing and legal aspects of the open source tools.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.