RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Top 10 Tips for Improving Your Open Source Software Governance : Page 2

Open source components can be a boon for your software development, but they can also present risks. These 10 tips will help you manage the use and risks of open source throughout the application development lifecycle.


6. Standardize on a Common Set of Open Source Components

Lower maintenance costs by reducing the number of components that need to be supported. Limit the number of components that need to be evaluated as well.

7. Analyze and Continuously Monitor All Applications

To indentify security vulnerabilities and licensing issues, examine the complete bill of materials for your applications, not just first-level dependencies. Flawed components may be hidden deep within your applications. When vulnerabilities are discovered, quickly analyze and repair them.

Analyze existing applications too, not just new ones -- it's never too late to find and fix issues. For mission-critical applications, you might consider using heavyweight scanners that examine the complete source code.

8. Establish Well-Defined Channels of Acquisition for Each Open Source Component

You must have a trusted source for each component, such as the Central Repository.

9. Establish a Policy of Service and Support

Determine the level of support required and identify the resources required. For some projects, community-based support will be fine. Others will demand commercial service and support contracts with binding SLAs.

10. Benchmark Your Current Usage of Open Source Components

Benchmarking will help you understand where you are starting from and set realistic goals:

  • Evaluate compliance to existing open source policies.
  • Identify which groups are using open source components, including what they are downloading from outside sources.
  • Identify problematic components being used in applications that are in development or in production.
  • Classify existing projects based on business importance to identify potential risks and provide a mechanism to establish the role and value of OSS within your organization's existing software portfolio.

Jason van Zyl is CTO of Sonatype, makers of software development tools, information and services that enable organizations to build software using open-source components.
Email AuthorEmail Author
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date