10 Tips for Managing Open Source Vulnerabilities

 
 
By Karen A. Frenkel  |  Posted 09-04-2014 Email
 
 
 
 
 
 
 
 
 
  • Previous
    Open Source Has Matured
    Next

    Open Source Has Matured

    The way organizations manage open source is becoming more sophisticated. Organizations with a less mature open source adoption process use the honor system and track their bill of materials using spreadsheets or a collaboration tool. More mature organizations usually integrate automated open source management tools into their development processes.
  • Previous
    Open Source Adoption Process
    Next

    Open Source Adoption Process

    Many organizations have begun implementing a structured open source software adoption process (OSSAP). This proactive approach is a set of best practices for managing open source packages and their quality, security and licensing attributes throughout development. OSSAP allows issues to be fixed as they are discovered, as opposed to the reactive approach of scanning code right before its release.
  • Previous
    Open Source Policies
    Next

    Open Source Policies

    Establish an open source policy as the foundation for all subsequent steps in the open source adoption process. This establishes who the stakeholders are, what licenses are acceptable, and which vendors are approved. The policy also covers the steps to take once a policy has been violated.
  • Previous
    Code Approval
    Next

    Code Approval

    As a proactive step, implement a package pre-approval workflow. At this stage, developers must submit open source packages for review before they can be used in development.
  • Previous
    Manual and Automated Code Reviews
    Next

    Manual and Automated Code Reviews

    Review the developer's request to use an open source package, either manually or with automated code-scanning tools. If the package complies with the organization's policy and is free of security vulnerabilities, approve it and grant the development team permission to use it in their projects.
  • Previous
    Baseline Scanning
    Next

    Baseline Scanning

    Perform an initial scan of the code portfolio and establish a baseline and inventory of existing software in the organization. Again, this can be automated or manually audited. This baseline step is used to uncover all open source and third-party code and remedy any security vulnerabilities or policy violations that are discovered.
  • Previous
    Scan the Code Regularly
    Next

    Scan the Code Regularly

    Regularly scan any code received from contractors or outsourcers for licensing impairments and add it to the approved software inventory. Some organizations opt to preform bulk scans right before the product is shipped, but it is more proactive to set up scans at regular intervals.
  • Previous
    Real-Time Scanning
    Next

    Real-Time Scanning

    Check code for vulnerabilities and policy compliance in real-time as developers put together code. If done manually, developers must track each piece of open source or third-party code (and list licensing or vulnerability attributes) as they bring the code into their project. Also use automated tools to scan all incoming code both at the desktop and as it is committed to the source control management system.
  • Previous
    Final Build Analysis
    Next

    Final Build Analysis

    Scan the code for vulnerabilities and compliance before it is shipped. If an organization has followed the previous pro-active steps this should be relatively painless. This is also the time to complete the list of all third-party code to be shipped with the product.
  • Previous
    Automated Processes Are Best
    Next

    Automated Processes Are Best

    "Automated end-to-end open source management tools and processes enable organizations to proactively discover potential security, licensing and encryption considerations as code is being developed," according to Protecode, "Such proactive approaches save organizations from potential product delays associated with fixing problems immediately before a product release."
 

As software development becomes more collaborative, technology organizations are increasingly incorporating open source content into their software development environments. Linux is prevalent in data centers and Apache is in web services. And OSS is more prevalent in the Internet of Things than ever. Developers have used OSS for years and visit repositories like GitHub to quickly solve problems, rather than write code from scratch. "A structured OSS adoption process can create a competitive advantage for technology companies by allowing them to leverage off-the-shelf quality software, accelerate development and reduce costs," says Mahshad Koohgoli, CEO of code attributes management company Protecode. OSS is peer-reviewed, which usually results in good quality, but like proprietary code, it is susceptible to security vulnerabilities. Licensing compliance and export controls must also be taken into account, depending on company location and where it sells products. These concerns can be managed, however, as outlined in Protecode's tips below.

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...