Introducing FOSSA's new business tier — easy-to-use open source and SBOM management with added pricing flexibility. Learn More
Omnissa — spun out of VMware in 2024 —offers one of the world’s most popular digital work platforms. With thousands of employees and customers across the globe, Omnissa delivers leading solutions across its AI-driven platform to improve the digital employee experience and strengthen security and compliance.
As you might expect given the nature of Omnissa’s product line (plus its deep security roots), software transparency and compliance are high priorities across the organization. The software Omnissa develops is complex, and that influences how the company approaches SBOM (software bill of materials) and open source software (OSS) license compliance management.
“This space of software reporting — both for SBOM and for open source license notice generation — in a company whose products are as heterogeneous as ours requires a robust solution,” says Adora Lynch, a Senior Staff Software Engineer at Omnissa.
“Given the diversity degree at which Omnissa operates, deep expertise is necessary to automate our SBOM and license compliance processes.”
After a comprehensive evaluation of different internal and external SBOM and license compliance solutions, Omnissa selected FOSSA. Over the past year, the Omnissa team has used FOSSA to satisfy a range of SBOM requests and save significant engineering and legal time on open source license compliance. FOSSA’s ability to quickly add value in Omnissa’s complex development environment and its extensive SBOM and license compliance management expertise have made the engagement a success.
“We're pleased to have a partner who is all about this space,” Adora says. “FOSSA has been close to turnkey for us. The sense of mutual benefit has been terrific.”
The U.S. government’s 2021 Executive Order on Improving the Nation’s Cybersecurity required federal agencies to obtain SBOMs with software purchases. Those requirements have since trickled down to the private sector. As a result, companies like Omnissa receive numerous requests to provide SBOMs to their customers.
“We are a FedRAMP-providing software entity,” Adora says. “Our software is mission-critical to the Fortune 50, Fortune 100, and Fortune 500. Companies use our stack in their essential functions, so they’re concerned about vulnerabilities. "The SBOM is an avenue customers can use to gain confidence in their supply chain."
Of course, keeping SBOMs accurate and up-to-date across products and business units is often easier said than done. With FOSSA, Omnissa is able to automate key parts of the process to ensure compliance with customer demands.
In much the same way that Omnissa sets a high standard for maintaining software transparency and trust with its customers via SBOMs, the digital work platform provider is committed to ensuring compliance with open source licensing requirements.
This is the case for a variety of reasons, including commitments to support the open source community and minimizing IP risk.
Adora (who manages license compliance program architecture and administration) and the Omnissa team have also taken advantage of FOSSA’s extensibility to build innovative workflows on top of FOSSA’s automation. For example, Omnissa’s legal team maintains records of its license reviews (e.g. licenses to approve, deny, and flag). Rather than manually updating the corresponding compliance policies directly in the FOSSA UI, which would introduce delays to the process, Adora and Omnissa have built a workflow that updates FOSSA in accordance with these records automatically.
"We have practically real-time responsiveness for when legal teams make decisions about new licenses,” Adora says.
Additionally, Adora and the Omnissa engineering team built a GitHub integration in which FOSSA and a bot in GitHub communicate to obtain and store attestations about Omnissa’s use of a given OSS component. This bolsters the Omnissa OSS compliance strategy by efficiently gathering key information from the OSS users themselves.
For Adora and her colleagues who oversee software transparency, the core of their initiatives is accurate component analysis. Understanding with confidence the composition of Omnissa’s open source usage across product lines enables successful SBOM, license compliance, and security initiatives.
In FOSSA, Adora and Omnissa have a tool they trust to maintain dependency graphs and conduct component analyses.
“The interconnection of components is very different across different ecosystems, and it's difficult to design a solution that can handle the diversity of the space like FOSSA does,” Adora says. “FOSSA uses multiple strategies within language layers to gather the data. I value that dependency graph tremendously; there’s multi-use value in having an effective dependency graph, and FOSSA’s great at that.”
Of course, Ominssa’s partnership with FOSSA extends well beyond FOSSA’s product functionality, to strong relationships with the FOSSA team.
“The FOSSA team has offered expert partnership,” Adora says. “Your CS team has helped us build on top of FOSSA and helped us make innovative customizations by confirming it was possible to do what we hoped to do."
Ultimately, the combination of FOSSA’s product and people, plus Ominssa’s strong commitment to license compliance and SBOM management have paved the path for best-in-class software transparency and license compliance.