How to handle Open Source Software and Security.
Open source has always left so many questions unanswered on whether your comfort level for software security is high or you have sleepless nights.
The keys for open source have the following open questions, can someone else view the source and modify it or do you rely on internal software developers fix the security flaws. Open source is mostly freely written software by developers who love to write software code and do not mind submitting their projects for all to use.
When using open source, the internal developers need to test the piece out and whether it can be used in the production systems. It is up to the developer to test the code on a machine that can be safely removed from production. After the testing / QA phase the software can then be released into production.
The one key piece of the above paragraph is that the word testing is involved. There are quite a few developers that tend to think they can incorporate their code as well as open source into a production system without even testing it. Those are the companies that tend to write terrible, buggy nonsense and could open up lawsuits due to the damages incurred by their clients.
How do I secure the Open Source code that i download ?
Download only from a trusted source. You should be able to grab code from GitHub or a download center that you can trust but if you think you can download a piece of code from any FTP or WEB server, you open up the door for anything to happen. As described in the terminator, you are the virus.
You have the option to insert or update the open source when a patch / upgrade is released. That is one way but if you think about it, you have the internal developer who should be able to update the code themselves otherwise what is the point you might as well hire the open source developer.
Maintain security on your software by simply locking down the production release and update only when you have QA/test the application in a test environment. You need to make sure that your internal developer understands the legal aspect as well when using the open source in a commercial product.
So using open source is not bad but you need to make sure you read the code and any document associated whether you have the legal right to use it in a major distribution.