Follow this presentation to see how an OSS audit and static code analysis can be used to reduce and mitigate the security risks associated with open source software and Internet-based applications. Presented January 2016 at the Open source compliance seminar hosted Brooks Kushman and Rogue Wave Software.
7. Accept
Sprint 1
Sprint 2
Sprint n Release
Change
Adjust and Track
Feedback
Review
Next Iteration
No!
Yes
!
Release
to Market
Integrate
and Test
Integrate
and Test
Integrate
and Test
Agile Development – Integrated Security
Characteristics
• Multiple testing
points
• Rapid feedback
required
• “Outside” testing
does not meet
agile needs
8. Application code
3rd party components
Ensure the open source code provider has a strong security plan
APIs and Web Services
Prevent buffer overflows and ensure your code is safe before adding it to your code
Test your
code
Look for flaws
early
Make security
a priority
13. Open Source and CVE
The Common Vulnerabilities and Exposures (CVE) system provides a reference-
method for publicly known information-security vulnerabilities and
exposures. MITRE Corporation maintains the system, with funding from
the National Cyber Security Division of the United States Department of Homeland
Security. CVE is used by the Security Content Automation Protocol, and CVE IDs
are listed on MITRE's system as well as the US National Vulnerability Database.
Audit your
code
Review CVE
Monitor &
Remediate
14. Defect reduction efforts
OWASP, MISRA, ISO 26262
See where and how the defects are being reduced
Chart defects and establish a baseline in order to focus
on priorities
Compliance
of standards
Continuous
reporting &
trending
Agile development team: baseline scanning, triage the critical issues first