Open Source projects can be a great asset, or they can be a curse. It is all in how you manage it. To be successful in using open source, there are several things to keep in mind, from licensing to updates. And if you ignore any of them, it can cause problems. Here are some things to consider:
What is the license?
There are a range of license options for an open source project, and components can range from free to use everywhere to very restrictive. It is important to have someone who is familiar with license types and who can set some guidelines on what is okay to use and what needs review. For example, are you okay with publishing changes or new code publicly because you used an open source component? https://opensource.org/licenses is a good resource to review common license types.
Can’t hackers read the code and find vulnerabilities?
Absolutely, but you can do the same thing. Every Open Source component you decide to integrate into your products should be thoroughly reviewed for any security issues. There are tools that can scan the code, or you can use employee pretesting teams if you do not have the expertise in house.
Are open source projects secure?
This all depends on the project. The first step I take in this area is to do a web search for any known vulnerabilities for the project. Next, I search the code check-ins and comments for the mention of security, vuln, vulnerability, etc. Even if these come up empty I still have a full audit done on the code for any undocumented issues. Checking other projects that the developers work on is a good idea, too. If the other code is full is issues, maybe no one has reported issues in this (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Lamar Bailey. Read the original post at: https://www.tripwire.com/state-of-security/security-awareness/open-source-faqs/