|
|
|
|
|
|
by reiger
2699 days ago
|
|
|
There are commercial products/services out that that attempt to provide validated OSS packages and monitor when the ones you are using have vulnerabilities. In the data science world, there is anaconda, For the enterprise, there is black duck software, myget, libraries.io and the commerical variant, and a few others. My internal checklist:
1) Is the license OSI approved (IP indemnification and IP taint is a risk)
2) What's the community like for it (is it well used, do security incidents get tracked handled quickly)
3) What security assurance have they done (some OSS has funders who have paid for testing, what kind of test suites do they have).
4) Add security alerts for the OSS to my RSS feeds to help monitor
5) Enforce a policy to sync to upstream pretty frequently as many OSS security bugs get silently fixed If I don't have confidence at this point, I will have some static analysis performed (lots of tools here) as a last measure sanity check. I know lots of bugs won't be uncovered by that, but it's an indicator of development goodness. Would love to hear what others are doing as we are a small shop and use 1000+ OSS packages. |
|
|