Organisation Metrics
For an organisation engaged in open source (or inner source), consider measuring the strength of contribution, security posture and legal compliance.
What To Measure
Committer Strength
Ideally, you want some measure of the pervasiveness of open source contribution within the organisation. Consider:
- Number of individual internal staff committing to open source / inner source projects
- Number of pull-requests merged from internal staff (either on all projects or key strategic projects)
- Number of inner source / open source projects being maintained.
- Number of commits.
- Number of CCLAs an organisation has executed/entered and maintains.
License Compliance
Assuming your Legal Team have created a license allow list, consider scanning internal projects and producing metrics around the number of license violations.
The FINOS Security Scanning project shows how this can be done on a per-project basis but you are likely to want to run this across your organisation's estate. Consider applying one of the tools from the Software Inventory article.
Consider measuring:
- Violations overall, or per-project.
- Main offenders (i.e. which dependencies cause the most violations)
- Mean time to fix
See: the article on License Management for more details.
Vulnerability Exposure
Metrics around Common Vulnerabilities and Exposure (CVE) measurements in an in-house software estate.
The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. - Common Vulnerabilities and Exposures, Wikipedia
Consider measuring:
- Criticality of the CVEs (Using CVSS Scoring)
- Time taken from reporting to patching in firm software
- Quantity of CVEs
- Amount of software being scanned vs. not scanned.
See: the article on Supply Chain Security for more details.
Return On Investment (ROI)
How can you measure the ROI of open source within the organisation, both consumption and contribution? (open question - tbd)