Online / 5 & 6 February 2022


How OSPOs can help secure the software supply chain

Legal Risk Mitigation is one of the three main functions of an OSPO (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:

  • Maintaining open source license compliance reviews and oversight
  • Running a review process for inbound code use
  • Ensuring that the company contributes back to open source projects effectively

To a certain degree, any organization calling itself an OSPO likely indicates the organization has reached a maturity stage where Executive-level recognition that OSS is an important strategic asset and builds a critical mass of processes, procedures, and tools to streamline and facilitate open source consumption and participation across divisions. Indeed, these activities also include a wide range of software composition analysis solutions such as Software Bill of Materials (SBOM), license management scanning, or continuous monitoring tools.

While some OSPOs rely on Software composition analysis vendors like Synopsys and Tidelift, others decide to make their own built-in solutions. During this presentation, Ana Jimenez, PM at TODO group (an open community of organizations who run OSPOs worldwide), will introduce the evolution and expansion of OSPOs over the years from a supply chain perspective, some of the common SCA tooling used, as well as how OSPOs can contribute and nurture the ecosystem of SCA tools to adapt to the needs of the different industries.


Photo of Ana Jimenez Santamaria Ana Jimenez Santamaria