Module 4: Open Source Software Security and Maintenance #
Learning Objectives #
In this module we will:
Discuss the interlinked security and maintenance considerations associated with both conventional proprietary and open source software.
Outline key challenges that organizations face in maintaining and securing their open source software solutions
Explore strategies for ensuring successful stewardship and maintenance of open source software.
Key Points #
There is no such thing as zero-risk software: all software – proprietary and open source – is built on sub-modules and involves risks that must be managed. In fact, most conventional proprietary companies use open source code in their products and participate in maintaining open source software.
Open source software is not inherently less secure than conventional proprietary software. As with any software, open source software carries certain risks that are unavoidable, but this should not discourage you from considering it for your organization. The best course of action is to conduct a thorough risk assessment and make appropriate plans to mitigate those risks.
More ’eyes’ on a piece of open source software increase the chances that critical maintenance issues and security vulnerabilities will be resolved. Open source software that is backed by a large active community of users and developers is more likely to receive regular updates and security patches. However, if you are using open source software that is not widely supported by a community of users, you will need to compensate by making sure you have appropriate in-house capacity (or can hire external support) to monitor for security vulnerabilities.
Don’t fork it unless you can maintain it; the more bespoke code your organization creates, the more the maintenance burden falls on you. If you create an independent local instance (forking the code) updates and security patches are your own responsibility – and they become increasingly difficult, as your version and the main branch grow further apart over time.