How do you maintain strong governance and security measures when integrating open source software into your tech stack?

498 views4 Upvotes4 Comments

IT Manager in Consumer Goods, 10,001+ employees
We have governance, an Architecture Review Board (ARB), and Change Advisory Board, but really it’s a matter of enforcing it. All architects have the duty to report any changes to the Change Advisory Board. 

For example, if architects want to swap from one database to another database, it would be brought to the Change Advisory Board and would be allowed to move forward if the ARB says yes.
IT Manager in Transportation, 10,001+ employees
Relay on Best Practice for opensource software like auto updates for example. 
Director of Engineering in Finance (non-banking), Self-employed
opensource product and libs are used by everyone including commercial vendors so it can't be avoided. Have a policy and plan. At minimum include roadmap, periodic updates, vulnerability scanners and license review.
Senior Engineering Manager in Finance (non-banking), 5,001 - 10,000 employees
There are frequent security scans in all the source code.
There are tools like blackduck which can scan with each and every commit. It tracks all open source vulnerabilities and helps in resolving them.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42k views131 Upvotes319 Comments

Fraud mitigation20%

Protection of reputation and brand56%

Protection of consumer data18%

Regulatory or compliance requirements7%



Very confident, it is comprehensive and effective34%

Somewhat confident, it covers the basics but could be improved44%

Not very confident, it needs significant improvements19%

My organization does not have a security awareness training program.2%


2.5k views1 Upvote