Open source and an agile application development life cycle go together like bricks and mortar in the construction of software. While agile development is focused on smaller teams and open source is generally developed by distributed contributors, both are based around rapid, flexible collaboration. With complimentary development principles, they’re a winning team for innovative software creation.
The Building Blocks of Agile Development
Open source components have proven to effectively deliver performance and functionality. Thus, using open source software as building blocks is popular with agile teams. Open source components supply needed functionality without requiring developers to write new code. This mix of availability and functionality forms a solid foundation for agile projects.
Curbing Open Source Security Risks
Still, the many benefits of open source software can also come with risks. Although components from well-maintained projects are unlikely to include common vulnerabilities, even projects that are well-curated and vetted by community members may be subject to the often subtle, sometimes serious vulnerabilities that are discovered and disclosed almost daily by security researchers.
For agile development teams to mitigate security risks from open source software, they must have visibility into the “hygiene” of the open source components they use, select components without known vulnerabilities, and continually monitor those components throughout the application lifecycle.
Step 1: Develop and deploy an open source usage policy
Step 2: Establish processes and controls to enforce your open source policy
Step 3: Implement security testing tools that integrate with your continuous integration environment, without hampering quick “edit/build/test” cycles.
As open source code proliferates throughout multiple applications, organizations struggle with monitoring the ongoing security of each individual component. While it’s possible to manually track open source use and vulnerabilities via spreadsheets, it’s next to impossible to ensure comprehensive, continual open source vulnerability analysis without the use of automated solutions.
To be effective, testing tools must meet the requirements of agile teams; delivering quick, accurate, and actionable results. By integrating tools, like the Black Duck Hub, into the build process, organizations can establish, and enforce, reasonable open source policies without affecting the productivity of agile teams.