SEC06-01 Ensuring Open-Source Software Security
Open-source software is indispensable in modern software development. More and more enterprises choose to use open-source software to develop and deploy software applications. Open-source software must be used in compliance with laws and regulations. You need to check the sources, vulnerability management, traceability, centralized management, and lifecycle management of open-source software.
- Risk severity
High
- Key strategies
- Use reliable sources. Open-source software is publicly available, making it easy for hackers to identify and exploit its vulnerabilities for attacks. Make sure you obtain the open-source software directly from the official website of the authorized community, supplier, or vendor.
- Comply with software license requirements. Make sure the open-source software in use comes with a proper license or a signed usage agreement. Open-source software must be used in accordance with its license terms and relevant laws to prevent intellectual property or licensing issues. Open-source obligations must be fulfilled to avoid damage to the reputation of products or enterprises.
- Enable centralized management. You should centrally manage open-source software, unify the introduction of open-source software, establish a preferred library and roadmap library, and reduce the types and quantity of open-source software. You can encourage your teams to use preferred open-source software to ensure the quality and security.
- Reduce the impact of open-source vulnerabilities. Open-source software vulnerabilities spread quickly and have a great impact. Once a security vulnerability was reported, the key to minimizing impact lies in quickly identifying affected products and fixing the vulnerability.
- Enable traceability. The change process of open-source software must be controllable and recorded. The relationship between product versions and third-party software and vulnerabilities must be established.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot