Open source foundations strengthen our software supply chain

A popular misconception about coders is that they thrive in isolation. Far from it, at least in the open source community where development is highly collaborative with hundreds of experts optimizing code.

We invest in improving the developer experience because we know that removing process friction not only heightens a coder’s productivity, it ultimately results in more compelling applications. 

Working with our open source foundation partners helps us achieve these important objectives by enabling our developers to focus on driving innovation rather than executing repetitive maintenance chores.

In recent years, we have released more than 25 open source projects demonstrating the power of collaboration and community. Capital One teams have made over 1,500 contributions to approximately 135 different open source projects that the company depends on to solve supply chain problems. 

Our approach to strengthening the software supply chain isn't just about securing open source or third-party dependencies in the code. It's about securing the entire ecosystem that makes up the software development life cycle, which includes 

• DevSecOps tools 
• Infrastructure 
• Collaborative environment - both internal and external 

This year, we increased our commitment by joining OpenSSF, Open JS, and OSI. Those contributions help others and our business.

Capital One has established a secure foundation for managing change through an ingrained company-wide culture that emphasizes security. We maintain a healthy software supply chain by focusing on standardization, automation, and ecosystem sustainability, supported by our Open Source Program Office (OSPO). 

The Capital One OSPO, now in its third iteration (3.0), manages three main components of an open source framework: 

1. Usage 
2. Contributions
3. Community building 

The OSPO emphasizes security, sustainability, and training for engineers with collaborative best practices to make this program frictionless for developers.

When we launched OSPO 3.0, we placed people at the center of our Open Source Framework. Not just engineers, but other stakeholders such as risk managers, HR managers, marketers, legal counsel, and upper management. We ensure that our software engineers are equipped with the right technology and process frameworks while keeping stakeholders involved.

• Standardization
• Automation
• Ecosystem sustainability

Staying active and investing in the sustainability of open source groups such as the Open Source Security Foundation (OpenSSF), the OpenJS Foundation, the Open Source Initiative, the Linux Foundation, and more ultimately boosts the quality of our code. 

We’re keenly aware that securing the software supply chain is an ever-evolving process, and together with industry foundation partners, we are making continuous improvements to our software supply chain.

• Strengthening the software supply chain

The criticality of securing the software supply chain gained prominence recently, with the President’s “Executive Order on Improving the Nation’s Cybersecurity” playing a significant role in reaching the goal of secure software.

We’re partnering with the OpenSSF to address these challenges through their 10-point OS Security Mobilization Plan and other initiatives.

• Using machine learning to monitor big data

Data Profiler, released in February 2021, is an open source project that uses machine learning to monitor big data and detect private customer information so it can be protected.

Data Profiler provides a pre-trained deep learning model to efficiently identify sensitive information and generate statistics with an infrastructure to build data labelers. One year later, Data Profiler has 1k+ stars, 100 forks, 32 contributors.

• Standardizing the model development lifecycle

Capital One’s rubicon-ml is helping to standardize the model development lifecycle by using machine learning to track, visualize and share experiments with collaborators and reviewers.

These capabilities can help data scientists and technologists experiment, train and govern models designed to solve complex business problems. The benefit of open source development for products like rubicon-ml is that they are constantly improved by contributions from experts across the ecosystem.

Open source brings ingenuity and energy to our operations. With a strong software supply chain, we can innovate more quickly, influence the product roadmap, gain access to a diverse pool of perspectives, and recruit and retain talent looking to build their expertise. 

In recent years we’ve marveled at how much the collaborative open source culture transformed our approach to securing our software supply chain. We’ve found that sharing risk with open source software developers and tapping open source libraries and components can pay enormous dividends and prevent catastrophic losses. In short, the more eyes we have on the code, the more secure our endeavor.

The “many eyeballs” risk theory explains what we instinctively know to be true – that an operating system or application will be more secure when you can inspect the code, share it with experts and other members of your user community, identify potential problems, and create fixes quickly. While we achieve integrity and security with our initial designs, using world-class, open source collaborators produces a more secure software supply chain.

Operating in a highly regulated industry, we have the institutional advantage of being seasoned in deftly navigating the challenges related to compliance and governance. We do this while fostering an open environment and ensuring the open source developer experience stays seamless, low-friction, and highly productive. 

Driving collaboration effectively is key to success in today’s developer-driven world. Learn more about Capital One's open source code contributions with Cloud Custodian CNCF.