What’s your advice for controlling open source usage among software developers? What’s the right level of governance that allows for innovation without opening the organization up to security risks?

Software DevelopmentApplications & Platforms
1.1k viewscircle icon2 Upvotescircle icon2 Comments
Sort by:
CTO in Software7 months ago

I suggest three aspects to keep under control:

- usable licenses (eg: MIT, Apache2): define which are the usable licenses and which are not allowed and why. Apply this policy in the build pipeline in the CI/CD process to block builds that don’t satisfy your policy. Define a process for license approval
- safe OSS: indetify software that is safe because is maintained by a large community and the security patches are available quickly. Contribute to that community
- SBOM: compile a software billing of material at every release in order to frozen the version of all OSS used to build your software

Lightbulb on1
CTO in Software7 months ago

If you apply a proper SSDLC process, senior developers should select or approve libraries, patterns, or services that the overall team is supposed to use. 
Additionally, if your team adopts a source repository like git or similar, there should be a bundled security notification service that notifies the team every time the community issues a new vulnerability report on any open-source technology.
If your problem is that the overall seniority of the team is average-low and you struggle in executing a proper SSLDC and implementing an effective DevOps framework my suggestion is to evaluate alternative development approaches like a Low-Code Development Platform or Low-Code Application Platform.

Content you might like

Thoughts on self-healing applications? Any approaches or tools that look promising to you?

How do you tell if AI tools are genuinely helping your engineers, instead of just adding extra steps or confusion?

Read More Comments

What are the biggest technical challenges preventing organizations from being able to use their existing data to enable digital transformation?

Finding data and putting it to good use13%

Controlling the security and privacy of data45%

Understanding how data is currently being used20%

All of the above19%

None of the above1%

View Results

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

What are your organization’s drivers for implementing RegTech?

Support future growth36%

Automate manual processes59%

Demonstrate compliance49%

Reduce risk exposure43%

Improve customer experience16%

Reduce costs13%

View Results