Black Duck Software presents 5 tips for a secure enterprise relationship with open source.
Avoid a bleeding heart. Black Duck Software presents 5 tips for a secure enterprise relationship with open source.
Find the perfect match: Combine collaboration and crowd-sourcing with community-based vulnerability reporting (National Vulnerability Database + proprietary open source databases = perfect open source match).
Use resources like OpenHub.net and GitHub to learn about and compare the history and activity of projects of interest and the developers behind them.
The perfect project match needs to combine stability with community activity, strong development with user engagement, and a history that matches your organization’s risk tolerance. Mazel-tov!
Hygiene Matters: Ensure only the latest and safest open source components are integrated into apps (Open source hygiene is the safe sex equivalent).
Safe sex, appsec – same difference. Frequent checkups ensure healthy open source relationships too. And no need to be version-promiscuous – code scanning tools and accompanying policies and processes make it straightforward to keep your software stack clear of old and vulnerable versions of software components, and to clear up confusing and resource-sapping version proliferation in your software catalog.
My, don't you clean up nice!: Implement methods, tools and best practices for improving code quality as a means to more secure code. Code quality issues account for up to half of all security vulnerabilities.
Rigorous team-based code reviews (for internal code) and early exposure to community eyeballs (for OSS) complement automation from tools like Coverity, Fortify, Klocwork and the Black Duck Suite.
Know when you’ve found “the one”: Not just many eyes, but the right eyes are needed to make bugs shallow and eliminate vulnerabilities (expand on the underpinnings of open source security).
Having a well-peopled community isn’t enough – the developers and users have to be the “right” people with the right eyeballs. Any project involving critical infrastructure or developing public-facing software needs to recruit security-savvy developers to complement domain experts and generalists that build and sustain the project.
Maintaining That Relationship
Avoid relationship pitfalls: Strike the ever so important balance between developer needs and security goals. Security regimes, like so many relationships, fail from lack of flexibility.
Hardheaded security policy always seems like the antidote to softhearted or sloppy user behavior, but too strict a regime will either be ignored by users and developers or drive them away from a project or technology. Security policy needs to reflect the level and scope of actual threats but not make technology unusable, to say nothing of unlovable.
Don’t have an account? Sign up here
Don't have an account? Sign up now