SEC06-01 Ensuring Open-Source Software Security

Open-source software is indispensable in modern software development. More and more enterprises choose to use open-source software to develop and deploy software applications. Open-source software must be used in compliance with laws and regulations. You need to check the sources, vulnerability management, traceability, centralized management, and lifecycle management of open-source software.

Risk severity
High
Key strategies
- Use reliable sources. Open-source software is publicly available, making it easy for hackers to identify and exploit its vulnerabilities for attacks. Make sure you obtain the open-source software directly from the official website of the authorized community, supplier, or vendor.
- Comply with software license requirements. Make sure the open-source software in use comes with a proper license or a signed usage agreement. Open-source software must be used in accordance with its license terms and relevant laws to prevent intellectual property or licensing issues. Open-source obligations must be fulfilled to avoid damage to the reputation of products or enterprises.
- Enable centralized management. You should centrally manage open-source software, unify the introduction of open-source software, establish a preferred library and roadmap library, and reduce the types and quantity of open-source software. You can encourage your teams to use preferred open-source software to ensure the quality and security.
- Reduce the impact of open-source vulnerabilities. Open-source software vulnerabilities spread quickly and have a great impact. Once a security vulnerability was reported, the key to minimizing impact lies in quickly identifying affected products and fixing the vulnerability.
- Enable traceability. The change process of open-source software must be controllable and recorded. The relationship between product versions and third-party software and vulnerabilities must be established.