DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » DevSecOps » Managing Open source software components

Managing Open source software components

By: vishal sahasrabuddhe on June 30, 2015 3 Comments

Building any software need lots of efforts including resources, time, money, etc. It is really a great pleasure when it goes live or gets released. In parallel, there is always a chance that bugs may put the release in a difficult condition even after multiple rounds of testing. Teams can fix bugs related to software features or functionality, but the ones which can hit badly are

Recent Posts By vishal sahasrabuddhe
  • Checks and Balances to Build Stronger Code
  • Make Presentation and Training More Effective
  • Release Engineering vs. Release Management
More from vishal sahasrabuddhe
Related Posts
  • Managing Open source software components
  • Secure Software Summit: Measuring and Mitigating OSS Risks
  • How to Source Vulnerability Data for True DevSecOps
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • application security
  • open source
  • opens source governance
  • security vulnerability
Show more
Show less
  • Security vulnerability.
  • Licensing risk of open source component.
  • Outdated open source component.

The world is moving towards open source in a very fast pace and its growing use in software as components inside the application. Open source components are available free for us, however there could be more risk while using them. A product which is paid and commercial is bound to fix issues and provide adequate support for any vulnerability or security issue and Licensing, But open source software may have a little more of a high risk and its very important to be updated about new releases and available bug fixes.

DevOps Connect:DevSecOps @ RSAC 2022

If open source components are not monitored properly and keep up to date, that may lead the software to become vulnerable.

Above checks needs to be done during the development phase and ruled out any discrepancy related to security or legal. This check can be included as part of build process to make sure it does not pass the fist barrier and caught even before hitting the testing phase. Eventual this can save development and testing effort and their time.

There are tools available which can take care of some/all of verification of open source components in various phases.

Artifactory

This tool can verify the license of the open source component and check its compatibility with various definitions. You can even add your own license definition as per your requirement.

Sonatype Nexus and WhiteSource

These tools will verify the license and keep the component information up to date. They will check for any updates,  bug fixes for any vulnerability issues and notify the user. These tools can do component security vulnerability and license analysis with the latest available information.

Security issues would be the last thing any software developer wants. Even small legal or security problems can put your system/software in a dangerous situation. Better to secure software first then fixing it later.

Reference ->

http://www.scmtechblog.net/2015/06/managing-open-source-component.html

http://www.scmtechblog.net/2015/03/maven-repository-tools-comparison.html 

Filed Under: Blogs, DevSecOps Tagged With: application security, open source, opens source governance, security vulnerability

Sponsored Content
Featured eBook
The State of Open Source Vulnerabilities 2020

The State of Open Source Vulnerabilities 2020

Open source components have become an integral part of today’s software applications — it’s impossible to keep up with the hectic pace of release cycles without them. As open source usage continues to grow, so does the number of eyes focused on open source security research, resulting in a record-breaking ... Read More
« ElasticBox enhances Container support with new release
DevOps TLV June & July Updates »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Continuous Deployment
Monday, July 11, 2022 - 1:00 pm EDT
Using External Tables to Store and Query Data on MinIO With SQL Server 2022
Tuesday, July 12, 2022 - 11:00 am EDT
Goldilocks and the 3 Levels of Cardinality: Getting it Just Right
Tuesday, July 12, 2022 - 1:00 pm EDT

Latest from DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New Normal’
June 30, 2022 | Richi Jennings
Moving From Lift-and-Shift to Cloud-Native
June 30, 2022 | Alexander Gallagher
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The 101 of Continuous Software Delivery
New call-to-action

Most Read on DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New No...
June 30, 2022 | Richi Jennings
Chip-to-Cloud IoT: A Step Toward Web3
June 28, 2022 | Nahla Davies
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.