An Open Discussion on Open Source Review Boards


March 17, 2014 By Derek Weeks

The recent FS-ISAC whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers”, reveals the majority of internal software applications created by financial services involve acquiring open source components and libraries to augment custom developed software. While open source code is freely available and reviewed by many independent developers, that review effort does not translate into all software components and libraries being free from risk.

As I explored in my last blog post, “The Tipping Point: Human Speed vs. Machine Speed”, we may have surpassed the manual ability to keep open source risks out of the environment due to the overwhelming population of components, their frequency of updates, and our ability to incorporate those changes into our application environments.

Today, the open source community actively fixes functional and security flaws. Coupled with this practice, alert streams sharing security vulnerability updates are regularly delivered by FS-ISAC, NIST’s National Vulnerability Database, and other organizations. Open source review boards in financial services are one of the primary consumers of this information — tracking and manually applying this stream of data to their components.

Open source review boards help ensure companies can maximize the benefits of open source, while ensuring stakeholders are in agreement around minimizing legal, technical, or business risks related to its use. To learn more about the importance of open source review boards, common practices, and future considerations for their use, we recently sat down for a video chat (7 min.) with Sonatype’s, Bruce Mayhew — Director of Security Research and Development.

To learn why Sonatype is a preferred application security vendor for financial organizations visit http://www.sonatype.com/spotlight/fs-isac

Open Source Review Boards