What’s your advice for controlling open source usage among software developers? What’s the right level of governance that allows for innovation without opening the organization up to security risks?
Sort by:
CTO in Software7 months ago
If you apply a proper SSDLC process, senior developers should select or approve libraries, patterns, or services that the overall team is supposed to use.
Additionally, if your team adopts a source repository like git or similar, there should be a bundled security notification service that notifies the team every time the community issues a new vulnerability report on any open-source technology.
If your problem is that the overall seniority of the team is average-low and you struggle in executing a proper SSLDC and implementing an effective DevOps framework my suggestion is to evaluate alternative development approaches like a Low-Code Development Platform or Low-Code Application Platform.
I suggest three aspects to keep under control:
- usable licenses (eg: MIT, Apache2): define which are the usable licenses and which are not allowed and why. Apply this policy in the build pipeline in the CI/CD process to block builds that don’t satisfy your policy. Define a process for license approval
- safe OSS: indetify software that is safe because is maintained by a large community and the security patches are available quickly. Contribute to that community
- SBOM: compile a software billing of material at every release in order to frozen the version of all OSS used to build your software