The vast majority of enterprise level companies employ some level of open source policy in their organizations. Their purpose is to create company-wide guidelines for the use of open source components. However, there’s a fine line between theory and practice and more often than not these open source policy templates fail to fulfill their purpose because they lack enforcement and the supervision needed to ensure developers are following them.
Much has been written about the makeup of open source policy templates. What needs to go into them and the best practices for their assembly, but often times these guides leave out critical aspects of policy implementation. Before you go setting your policy, make sure you don’t leave out these three crucial points.
Out with the Manual and in with the Automated Implementation of Open Source Policy Templates
As detailed and scrutinous as your open source policy template may be, if it lacks the automation tools to identify open source components, surface their vulnerabilities and track their remediation, then the policy you set cannot be counted on to work.
Manual tracking of open source components on spreadsheets and managing licenses over emails is impractical and unsustainable over time. Given that open source components comprise 60% to 80% of modern applications, the amount of open source components used and their multitude of dependencies simply cannot be encompassed manually. Therefore, any policy template that fails to discuss automation as a leading principle is shortchanging you and will not get the job done.
Open source components are dynamic by nature. They get worked and reworked by the open source community on an ongoing basis, leading to new vulnerabilities being found and others being fixed continuously. This makes periodic testing for open source (Read more…)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Anat Richter. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/creating-your-open-source-policy-template