Romancing development: How to avoid feeling vulnerable with open source

Black Duck Software presents 5 tips for a secure enterprise relationship with open source.

0 title
Credit: Shutterstock
Feeling Vulnerable?

Avoid a bleeding heart. Black Duck Software presents 5 tips for a secure enterprise relationship with open source.

1 matchmaking
Credit: Shutterstock
Matchmaking

Find the perfect match: Combine collaboration and crowd-sourcing with community-based vulnerability reporting (National Vulnerability Database + proprietary open source databases = perfect open source match).

Use resources like OpenHub.net and GitHub to learn about and compare the history and activity of projects of interest and the developers behind them.

The perfect project match needs to combine stability with community activity, strong development with user engagement, and a history that matches your organization’s risk tolerance. Mazel-tov!

2 dating
Credit: Shutterstock
Dating

Hygiene Matters: Ensure only the latest and safest open source components are integrated into apps (Open source hygiene is the safe sex equivalent).

Safe sex, appsec – same difference.  Frequent checkups ensure healthy open source relationships too. And no need to be version-promiscuous – code scanning tools and accompanying policies and processes make it straightforward to keep your software stack clear of old and vulnerable versions of software components, and to clear up confusing and resource-sapping version proliferation in your software catalog.

3 honeymoon
Credit: Shutterstock
Honeymoon Phase

My, don't you clean up nice!: Implement methods, tools and best practices for improving code quality as a means to more secure code. Code quality issues account for up to half of all security vulnerabilities.

Rigorous team-based code reviews (for internal code) and early exposure to community eyeballs (for OSS) complement automation from tools like Coverity, Fortify, Klocwork and the Black Duck Suite.

4 soulmate
Credit: Shutterstock
Soul Mates

Know when you’ve found “the one”: Not just many eyes, but the right eyes are needed to make bugs shallow and eliminate vulnerabilities (expand on the underpinnings of open source security).

Having a well-peopled community isn’t enough – the developers and users have to be the “right” people with the right eyeballs. Any project involving critical infrastructure or developing public-facing software needs to recruit security-savvy developers to complement domain experts and generalists that build and sustain the project.

5 maintaning
Credit: Shutterstock
Maintaining That Relationship

Avoid relationship pitfalls: Strike the ever so important balance between developer needs and security goals. Security regimes, like so many relationships, fail from lack of flexibility.

Hardheaded security policy always seems like the antidote to softhearted or sloppy user behavior, but too strict a regime will either be ignored by users and developers or drive them away from a project or technology. Security policy needs to reflect the level and scope of actual threats but not make technology unusable, to say nothing of unlovable.