Committing to innovation: Comcast’s Nithya Ruff talks Open Source with GitHub COO Erica Brescia

Today’s environment has shifted how we get work done around the world. As we all get used to our new normal, we’re also finding new and unexpected ways to collaborate and innovate together. An early open source adopter, Comcast has already been connecting teams through virtual collaboration. GitHub COO Erica Brescia and Nithya Ruff, Executive Director of Comcast’s Open Source Program Office and Board Chair of the Linux Foundation, sat down last year to discuss all things enterprise and open source: why businesses are building on free code, GitHub’s role in open source security—and how large companies like Comcast can encourage innovation with just a commit.

A grassroots movement

Brescia: Software is everywhere. It’s on our phones, in our cars, in our medical devices. But what many of us don’t realize is that even if we buy a product, so much of that software comes from open source: code that’s “open,” shared, and free for anyone to use. In fact, over 90 percent of the code in modern software supply chains is open source. This is important because people are collaborating to create software we can all benefit from, so every team isn’t building the same piece of software over and over again. The result is higher quality software and development teams who have more bandwidth to focus on building their core product. The scale of open source development is incredible—over 40 million developers from all over the world come together on GitHub to build together and learn from each other.

Ruff: The customer experience powers our innovation. It’s important to have full ownership of the underlying software that powers those experiences, which meant moving from operating products to investing in the developers who create them. To access the best tools and proven code, we already saw our developers utilizing open source software internally. Once we started prioritizing open source across the company, we also saw them begin to contribute to the open source community.

Open source at scale

Brescia: Open source in the enterprise is becoming the expectation—not the exception. The question isn’t, “Should we use open source?” The question is, “How can we support smart and secure collaboration with the open source community?” More and more companies are recognizing that open source is a critical part of staying competitive. They’re looking at their competitors and wondering how they can stay agile and iterate so quickly. Well, they’re using open source. So businesses embrace it; whether that’s creating dedicated open source teams and programs to support their developers or building formal processes for bringing open source into their code base.

Ruff: And we did just that. With open source contributions growing, we established and formalized the Open Source Advisory Council in 2012. The OSAC brings together legal and security departments, as well as engineers from across the organization to review open source projects and contributions. I’m proud to say we approve almost 100 percent of requested open source contributions from our developers. And soon after we realized that we needed an enterprise-wide center of excellence in Open Source practices and established the Open Source Program Office (OSPO) at Comcast in 2017, a team dedicated to open source and applying those practices to drive innovation internally. That’s when I joined—along with other experts from the open source community.

Brescia: That’s fantastic, and approving almost 100 percent of requested open source contributions is impressive! This demonstrates clear open source leadership.

Some of the world’s largest organizations depend on open source projects, and many of the tools that are a key part of business’ applications and infrastructure began as internal tools at other organizations. Stripe’s team worked with Ruby maintainers to create the static typechecker Sorbet to help improve their data processing. They then made it open source and available for teams around the world. Based on our most recent Octoverse report, we’ve also seen almost 70 percent of Global Fortune 50 companies make a contribution to open source in the last year.

Ruff: Exactly. We know we’re in a unique position to contribute to the open source community. Since many of our open source projects started as tools we used internally, the open source work we do at Comcast is at a tremendous scale and is production quality. Because our projects are developed for and tested in our large data centers, when we open source software, it makes it easier for other enterprises to leverage it for immediate impact because it’s proven at scale. For example, one of our developers developed a tool called Trickster. He developed it for himself using GitHub Enterprise, but then realized that the world could probably benefit from using this project. Trickster is a dashboard accelerator for Prometheus—making it possible for Prometheus dashboards to run smoother and faster. Now it’s open source and available for any team to use. Contributing also allows us to sustain open source and give back. 

Tapping into top talent

Brescia: It’s important to recognize that the companies using open source aren’t just “born digital” companies. Today, every company is a software company, which means everyone is looking for the best developers. With GitHub, companies can instantly connect with top talent through their open source projects—no matter where they are. Having a proven track record in the open source community helps companies attract developers. Since open source is where innovation starts, developers see committing to open source as committing to innovation too.

Ruff: The most innovative companies in the world are all competing for the same pool of engineering talent. That’s part of the reason we’re so enthusiastic about our work in open source. It’s a way our teams can demonstrate the quality of innovation we’ve worked hard to cultivate—and it’s helped us attract more members of the open source community to our teams. It is also easier to onboard employees when we use well known open source software, practices, and tools like GitHub.

Security outside and behind the firewall

Brescia: Bringing in open source developers and implementing open source best practices into how you build software internally requires a significant cultural change for most companies. In the software community, this process is known as “innersource”—using open source methodologies to build software behind your firewall. One of our goals at GitHub is to make that easier, to continue building a platform that strengthens developer collaboration, regardless of where those developers are doing their work. Even something as simple as implementing code reviews or allowing other teams to open a pull request on a project can have a big impact on streamlining processes within enterprise organizations.

Ruff: Like many large teams, we deal with managing code reviews, how to best store documentation, how to make code discoverable and more. The key is to open up collaboration between teams. Tools like GitHub break down silos and walls between teams as they provide intuitive ways to collaborate. We collaborate with internal teams around the world and with contributors outside of Comcast.  

Brescia: But having code out in the open also comes with unique challenges for enterprises, particularly involving security and compliance. Open source security is something that impacts the entire GitHub community—maintainers, enterprises, developers—and we have a responsibility to the world, not just our community, to help ensure open source code is safe to use. A lot of that can happen automatically, using our token scanning tools and automated security updates with CodeQL, the biggest variant analysis engine. We’re working closely with our community and security researchers to keep open source secure. 

Ruff: Security is definitely a top priority. We even our own dedicated team for scanning, and using GitHub security alerts give us another way to keep code safer. As collaboration increases, It’s provided an important layer of security—protecting our code and catching vulnerabilities before they might affect our projects or customers.

Faster fixes for the long-haul

Brescia: As we discussed earlier, it doesn’t just come down to using open source securely. It’s about collaboration. We’re passionate about how GitHub can give businesses and developers the tools they need to do their best work. Some of these tools we’ve already talked about—tracking and fixing security vulnerabilities at scale—but teams also need to be able to keep up the momentum once they do embrace open source. We’re investing in features like GitHub Actions with CI/CD so GitHub isn’t just where you find open source, but how you power your entire software development lifecycle.

Ruff: Using GitHub and open source means we’re able to be not just more innovative, but more agile with the products we deliver to our customers and ultimately increasing reliability. That’s one of the biggest ways we can build trust with the people who choose Comcast. Being able to add features or fix bugs within hours or days instead of months is crucial for our customer satisfaction, and using open source methodologies inherent in GitHub plays a big role in that.