Most importantly, an OSS security
Posted: Thu Feb 06, 2025 6:29 am
“A successful OSS security management strategy recognizes that open source is a driver and is critical to accelerating the team’s work,” he says. “It’s also important to recognize that a manual approach to security alone is unlikely to get the job done, and that additional automation must be used.”
management strategy should support high developer velocity while improving security by integrating it into automated CI/CD processes, rather than trying to align developer processes with security.
Bisson notes that the productivity gains from open source can trick companies into underinvesting in software development. In his view, CI/CD automation—with automated code scanning—is more important than ever. Automated monitoring and permissions compliance should also help.
“The last thing any developer wants is to discover security risks in their work after they’ve completed it,” he says. “Incorporating automated security checks early in the workflow allows developers to get feedback faster so they can make fixes before something becomes a security issue.”
The Importance of Transition Dependencies
Mickline Keffeler, an application security consultant at nVisium, notes that a critical element of any OSS security management strategy is transitive dependencies.Additionally, simple tools like OWASP Dependency Track help identify and mitigate risks in the software supply chain by informing teams of all transitive dependencies in use and how they can mitigate that risk in the future.
Software composition analysis tools can also help protect incoming open source components from risks, but supply chain security is about more than just the software components being used. It includes securing the workflow to prevent accidental or deliberate tampering, Bisson says.
Supply chain security
Automated provisioning of git access and best practices for configuration, such as branch protection rules and requiring commits to be signed, are critical to supply chain security.
“Ultimately, the supply chain doesn’t end until the code is in production, so access to source code is another attack vector,” says Bisson. “It’s important to make sure developers have access to all the repositories they need, but too many companies fail to stop access when developers leave the company or change teams.”
Keffeler shares Bisson's view that supply chain security guatemala mobile database an important role in OSS management. "This software is already mission-critical in many enterprises," he says. "The rise in supply chain attacks is a direct result of companies ignoring this part because it's not their responsibility."
Many development teams have a proven list of OSS they will use because they have tested it, but often overlook the dependencies that use the dependencies. Additionally, when security vulnerabilities arise in these transitive dependencies, not only do they need to be updated to fix them, but the dependencies that use them also need to be updated.
“This creates a supply chain issue, and it can often take a long time for these fixes to reach a broad audience, depending on how quickly the changes are made,” Keffeler says. “If the software is not well-managed, it can take a very long time.”
He points to a common open source security management tool called Renovate Bot. It automatically escalates pull requests to the project or library it's linked to so you can stay on the latest safe version of a dependency.
management strategy should support high developer velocity while improving security by integrating it into automated CI/CD processes, rather than trying to align developer processes with security.
Bisson notes that the productivity gains from open source can trick companies into underinvesting in software development. In his view, CI/CD automation—with automated code scanning—is more important than ever. Automated monitoring and permissions compliance should also help.
“The last thing any developer wants is to discover security risks in their work after they’ve completed it,” he says. “Incorporating automated security checks early in the workflow allows developers to get feedback faster so they can make fixes before something becomes a security issue.”
The Importance of Transition Dependencies
Mickline Keffeler, an application security consultant at nVisium, notes that a critical element of any OSS security management strategy is transitive dependencies.Additionally, simple tools like OWASP Dependency Track help identify and mitigate risks in the software supply chain by informing teams of all transitive dependencies in use and how they can mitigate that risk in the future.
Software composition analysis tools can also help protect incoming open source components from risks, but supply chain security is about more than just the software components being used. It includes securing the workflow to prevent accidental or deliberate tampering, Bisson says.
Supply chain security
Automated provisioning of git access and best practices for configuration, such as branch protection rules and requiring commits to be signed, are critical to supply chain security.
“Ultimately, the supply chain doesn’t end until the code is in production, so access to source code is another attack vector,” says Bisson. “It’s important to make sure developers have access to all the repositories they need, but too many companies fail to stop access when developers leave the company or change teams.”
Keffeler shares Bisson's view that supply chain security guatemala mobile database an important role in OSS management. "This software is already mission-critical in many enterprises," he says. "The rise in supply chain attacks is a direct result of companies ignoring this part because it's not their responsibility."
Many development teams have a proven list of OSS they will use because they have tested it, but often overlook the dependencies that use the dependencies. Additionally, when security vulnerabilities arise in these transitive dependencies, not only do they need to be updated to fix them, but the dependencies that use them also need to be updated.
“This creates a supply chain issue, and it can often take a long time for these fixes to reach a broad audience, depending on how quickly the changes are made,” Keffeler says. “If the software is not well-managed, it can take a very long time.”
He points to a common open source security management tool called Renovate Bot. It automatically escalates pull requests to the project or library it's linked to so you can stay on the latest safe version of a dependency.