How do you maintain strong governance and security measures when integrating open source software into your tech stack?

750 views1 Upvote4 Comments

Sort by:

CTO in Finance (non-banking)2 years ago

There are frequent security scans in all the source code.
There are tools like blackduck which can scan with each and every commit. It tracks all open source vulnerabilities and helps in resolving them.

Director of Engineering in Finance (non-banking)2 years ago

opensource product and libs are used by everyone including commercial vendors so it can't be avoided. Have a policy and plan. At minimum include roadmap, periodic updates, vulnerability scanners and license review.

IT Manager in Transportation2 years ago

Relay on Best Practice for opensource software like auto updates for example.

IT Manager in Consumer Goods2 years ago

We have governance, an Architecture Review Board (ARB), and Change Advisory Board, but really it’s a matter of enforcing it. All architects have the duty to report any changes to the Change Advisory Board.

For example, if architects want to swap from one database to another database, it would be brought to the Change Advisory Board and would be allowed to move forward if the ARB says yes.

Content you might like

Which election security attacks are you most worried about?

Hack-and-leak operation dropping at the last minute, depriving the opposing party of sufficient time to respond;21%

Planting stories at the last minute on websites that are associates with fake documents and images;63%

Lingering threats that go beyond election day that are really designed to undermine the confidence in our election system13%

Other (comment below)1%

View Results

Seeking advice on integrating embedded AI agents into Workday/SAP/etc. How do you handle integration across HRIS, ATS, and LMS? Do you rely on vendor-native tools or build your own in-house registries?

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Implementing a password-less environment?

Complete13%

This calendar year28%

1-2 years28%

3-5 years9%

No plans20%

View Results

Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models. Scope includes Environment Setup: Cloud provisioning, configuration, testing. Connectors/Parsers: Custom data source integration. Content Development: Rules, use cases, threat feeds. Performance Tuning: Query/index optimization. Runbooks: Operational procedures. Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation. Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.

How do you maintain strong governance and security measures when integrating open source software into your tech stack?

Sort by:

Content you might like

Which election security attacks are you most worried about?

Seeking advice on integrating embedded AI agents into Workday/SAP/etc. How do you handle integration across HRIS, ATS, and LMS? Do you rely on vendor-native tools or build your own in-house registries?

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Implementing a password-less environment?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go