How to handle Open Source Software and Security.

How to handle Open Source Software and Security.

Open source has always left so many questions unanswered on whether your comfort level for software security is high or you have sleepless nights.

The keys for open source have the following open questions, can someone else view the source and modify it  or do you rely on internal software developers fix the security flaws.   Open source is mostly freely written software by developers who love to write software code and do not mind submitting their projects for all to use.

When using open source, the internal developers need to test the piece out and whether it can be used in the production systems.  It is up to the developer to test the code on a machine that can be safely removed from production.  After the testing / QA phase the software can then be released into production.

The one key piece of the above paragraph is that the word testing is involved.  There are quite a few developers that tend to think they can incorporate their code as well as open source into a production system without even testing it.  Those are the companies that tend to write terrible, buggy nonsense and could open up lawsuits due to the damages incurred by their clients.

 

 

How do I secure the Open Source code that i download ?

Download only from a trusted source.  You should be able to grab code from GitHub or a download center that you can trust but if you think you can download a piece of code from any FTP or WEB server, you open up the door for anything to happen.  As described in the terminator, you are the virus.

You have the option to insert or update the open source when a patch / upgrade is released.  That is one way but if you think about it, you have the internal developer who should be able to update the code themselves otherwise what is the point you might as well hire the open source developer.

 

Maintain security on your software by simply locking down the production release and update only when you have QA/test the application in a test environment.  You need to make sure that your internal developer understands the legal aspect as well when using the open source in a commercial product.

So using open source is not bad but you need to make sure you read the code and any document associated whether you have the legal right to use it in a major distribution.

 

Visual Studio 2017 to be released March 7th

Visual Studio 2017 to be released March 7th

The Visual Studio team has released a pack of updates that amount to some minor fixes for the Visual Studio 2017 Release Candidate 3 that was let loose on the Web a week ago. The team also set a definitive launch date for the feature-complete suite to be on March 7, 2017

The most recent update  includes updates to the .NET Core SDK, including a new templating engine for projects originating from the dotnet new command. Feedback from developers also precipitated a change in the .NET Standard library class template under the .NET Standard node. Rich Lander, a Microsoft program manager with the Common Language Runtime team, that there are also about 50 quality fixes “across the .NET CLI, NuGet, MSBuild and also in Visual Studio,” and adds, “We will continue to squash bugs as we get closer to Visual Studio 2017 RTM.”

The build also adds Redgate SQL Prompt, which provides SQL code completion while coding, and a number of Developer Analytics Tools enhancements.

Outside of fixes covered in the release notes, there is one tool worth noting that is related to VS 2017 RC3. A Visual Studio senior program manager Ahmed Metwally posted earlier this week offers up details on a new tool, Continuous Delivery Tools for Visual Studio 2017, which he explains is aimed at streamlining the automated build and release of ASP.NET and .NET Core projects targeting Azure App Services and Azure Container Services. It belongs to that category of tools coming from Microsoft’s DevLabs extension, which are “experimental,” which means the tools are nascent (such projects can be killed at any time) and so aren’t backed by any official support.

Just like this update, from now until launch on March 7 will likely be fixes and updates, but no major feature enhancements or additions.