Most IT departments don’t have a ton of time or resources at their disposal for programming. They fill in these holes by using open-source, which can be a godsend or a major concern – depending on how it’s used.
The question is, can these free, open resources ever be secure enough to bet your business on?
That depends in large part on which open-source resources you’re talking about, of course. As Black Duck’s Balaji Viswanathan recently noted, not every open-source project has enough eyeballs or resources to find serious flaws in code.
On the other hand, they have more resources than most companies do in-house. So it’s entirely possible that more errors can be caught using this crowd-sourced method than on your own.
In the end, the safety of open-source resources depends on using it wisely.
Here are four keys to guide those decisions.
1. Pick only the best
The most-used open-source licenses are also (likely) the most secure. This isn’t a hard and fast rule – Heartbleed was certainly a reminder of that – but in general, the more programmers who are monitoring and updating a service, the better off you’ll be.
2. Keep it up-to-date
According to one study, 85% of open-source projects don’t have the most up-to-date version of the software they’re using. Open-source patches are updated fairly often, so it’s important to stay on top of these developments and be sure that you’re not putting yourself in danger by running flawed or outdated software.
The resources with the most updates aren’t necessarily the most flawed – in fact, that could be a sign that it has an active, dedicated community.
3. Track everything
Make sure you have an active, regularly updated list of every open-source component that’s used in your systems. It can help to assign a designated person to check for updates for each open-source code resource. That way, you can be sure that nothing will slip through the cracks.
4. Keep it funded
Companies like Google, VMWare, Microsoft and others have started to realize that it can’t be all take and no give. Supporting open-source developers with funding and donations can be a good way to ensure we don’t wind up with another Heartbleed situation.
It’s certainly optional, but a small investment could pay off for you in the long run.