Open source helps developers build applications more quickly because they are able to draw from billions of lines of freely available code. However, open source also comes with hidden security and maintenance challenges.
In a recent article for Spiceworks, Tidelift CEO and co-founder Donald Fischer proposes the importance of an effective open source software supply chain management plan that addresses both internal security and maintenance challenges as well as external software supply chain resilience challenges. Here are some of the key recommendations from that article:
Organizations should put a plan in place to address internal open source security and maintenance challenges. This plan should answer questions such as:
- Does the organization have a system in place to determine which components are approved for use, and how can developers find those answers?
- If a developer wants to bring in a component that is not already approved for use, how do they do it, and who needs to be involved?
How can organizations proactively address these security and maintenance and supply chain resilience challenges?
In the article, Donald suggests three key ways to address these challenges:- Engage with the maintainers of the open source projects used at scale in your organization. This also means ensuring that maintainers get paid.
- Identify the tools and research necessary to make sense of emerging industry standards.
- Build a catalog of pre-vetted and approved open source packages, set open source policies and standards for open source usage, and grow the catalog of approved packages over time.
Read the full original blog post on Spiceworks to learn more about how your organization can create an effective open source supply chain management strategy today.
50 Milk St, 16th Floor, Boston, MA 02109