Open source software (OSS) is ubiquitous in the modern enterprise, enabling rapid solution development through re-use of ready-to-use components, written and maintained by outside developers. And while using OSS unquestionably brings benefits, security vulnerabilities discovered in those components can have devastating consequences. From Heartbleed to Eslint-scope, Apache Struts to Zip Slip, awareness of security risk in OSS has gained mindshare in developers and executives alike. The growing size and complexity of the OSS ecosystem bring some particular challenges: How can you ensure the OSS used to run your business is trustworthy? How can you mitigate security risk in a "run fast" DevOps environment without getting in the way? In this interactive session, we will describe lessons learned building an OSS security program at Microsoft, explore best practices, and discuss how to tailor those practices effectively within your organization. Specifically, we'll cover the following: - Building a comprehensive, accurate inventory of OSS components used. - Understanding the security posture of each identified OSS component. - Responding to security vulnerabilities in OSS. Open source software isn't like a free Mai Tai; it's like a free puppy.