3 Steps to Improve Open Source Security in Agile Software Development

3 Steps To Improve Open Source Security In Agile Software Development

Open source and an agile application development life cycle go together like bricks and mortar in the construction of software. While agile development is focused on smaller teams and open source is generally developed by distributed contributors, both are based around rapid, flexible collaboration. With complimentary development principles, they’re a winning team for innovative software creation.

The Building Blocks of Agile Development

Open source components have proven to effectively deliver performance and functionality. Thus, using open source software as building blocks is popular with agile teams. Open source components supply needed functionality without requiring developers to write new code. This mix of availability and functionality forms a solid foundation for agile projects.

Curbing Open Source Security Risks

Agile Development CycleStill, the many benefits of open source software can also come with risks. Although components from well-maintained projects are unlikely to include common vulnerabilities, even projects that are well-curated and vetted by community members may be subject to the often subtle, sometimes serious vulnerabilities that are discovered and disclosed almost daily by security researchers.

For agile development teams to mitigate security risks from open source software, they must have visibility into the “hygiene” of the open source components they use, select components without known vulnerabilities, and continually monitor those components throughout the application lifecycle.

Step 1: Develop and deploy an open source usage policy

Step 2: Establish processes and controls to enforce your open source policy

Step 3: Implement security testing tools that integrate with your continuous integration environment, without hampering quick “edit/build/test” cycles.

As open source code proliferates throughout multiple applications, organizations struggle with monitoring the ongoing security of each individual component. While it’s possible to manually track open source use and vulnerabilities via spreadsheets, it’s next to impossible to ensure comprehensive, continual open source vulnerability analysis without the use of automated solutions.

To be effective, testing tools must meet the requirements of agile teams; delivering quick, accurate, and actionable results. By integrating tools, like the Black Duck Hub, into the build process, organizations can establish, and enforce, reasonable open source policies without affecting the productivity of agile teams.

White Paper: Open Source Security & Agile Development

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Commercial Application Security: 6 Facts You Didn't Know

| May 4, 2017

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities

| MORE >

Open Web Application Security Project Updated Top 10

| May 3, 2017

Late last month, the Open Web Application Security Project (OWASP) published a release candidate for the new OWASP Top 10 (T10).  I want to take a look at what has remained and what has changed since the last version. First of all, hats off to OWASP. They do a great job with their many projects

| MORE >

Vulnerability Remediation – You Only Have 4 Options

| Mar 29, 2017

In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other

| MORE >