By Dr. Thomas P. Scanlon, CISSPSoftware Engineering Institute, Carnegie Mellon University
Today’s software developers are as much integrators as they are pure coders. There is an abundance of libraries, plug-ins and other third-party software components readily available to speed development. There is no sense in reinventing something when you can just download it, merge it in and move along. Using free and open source software (FOSS) components can save both time and money, so they make for attractive choices. However, including open source software into development projects often makes the cybersecurity professionals in an organization a little uneasy. But, should it?
There is often a misconception that FOSS components are ‘less secure’ than commercial products. The reality is that on the whole, they are no more or less secure. The relative security of a component is based on many aspects and some FOSS components can measure up extremely well, while some commercial products can measure poorly, and vice versa. The same care should be taken to make sound third-party component selections regardless of the product’s origin.
When evaluating an open source component for use in a project, several factors should be examined to determine the amount of security risk the component contains. Ask questions like these to help determine where security risk may lie:
Who are the original developers of this product?
Is the project currently managed by a known foundation or group?
Is there active development on the project?
What are the criteria to become a contributor to the project?
How are code contributions to the project vetted and tested?
What is the process for reporting, handling and disclosure of vulnerabilities?
How often is code updated or patched?
Is there an active community of users for this product?
These qu ..
Support the originator by clicking the read the rest link below.
