10 Tips for Managing Open Source Vulnerabilities
The way organizations manage open source is becoming more sophisticated. Organizations with a less mature open source adoption process use the honor system and track their bill of materials using spreadsheets or a collaboration tool. More mature organizations usually integrate automated open source management tools into their development processes.
Many organizations have begun implementing a structured open source software adoption process (OSSAP). This proactive approach is a set of best practices for managing open source packages and their quality, security and licensing attributes throughout development. OSSAP allows issues to be fixed as they are discovered, as opposed to the reactive approach of scanning code right before its release.
Establish an open source policy as the foundation for all subsequent steps in the open source adoption process. This establishes who the stakeholders are, what licenses are acceptable, and which vendors are approved. The policy also covers the steps to take once a policy has been violated.
As a proactive step, implement a package pre-approval workflow. At this stage, developers must submit open source packages for review before they can be used in development.
Review the developer’s request to use an open source package, either manually or with automated code-scanning tools. If the package complies with the organization’s policy and is free of security vulnerabilities, approve it and grant the development team permission to use it in their projects.
Perform an initial scan of the code portfolio and establish a baseline and inventory of existing software in the organization. Again, this can be automated or manually audited. This baseline step is used to uncover all open source and third-party code and remedy any security vulnerabilities or policy violations that are discovered.
Regularly scan any code received from contractors or outsourcers for licensing impairments and add it to the approved software inventory. Some organizations opt to preform bulk scans right before the product is shipped, but it is more proactive to set up scans at regular intervals.
Check code for vulnerabilities and policy compliance in real-time as developers put together code. If done manually, developers must track each piece of open source or third-party code (and list licensing or vulnerability attributes) as they bring the code into their project. Also use automated tools to scan all incoming code both at the desktop and as it is committed to the source control management system.
Scan the code for vulnerabilities and compliance before it is shipped. If an organization has followed the previous pro-active steps this should be relatively painless. This is also the time to complete the list of all third-party code to be shipped with the product.
“Automated end-to-end open source management tools and processes enable organizations to proactively discover potential security, licensing and encryption considerations as code is being developed,” according to Protecode, “Such proactive approaches save organizations from potential product delays associated with fixing problems immediately before a product release.”