124 Core Software Security
4.4 Open-Source Selection
There has been an increasing trend in the software industry over the last
few years to draw on the strengths of both open-source and proprietary
software to deliver the highest value at the lowest cost. The blend of both
is called “mixed source” and is becoming a dominant practice in industry.
Understanding and managing the licensing of your software assets will
be critical as open source becomes an ever-greater part of the software
develop ment landscape, but this is beyond the scope of our discussion
and will be handled by others on the software development team.
There is an ongoing debate as to whether open-source software
increases software security or is detrimental to it, but the bottom line is
that you are importing software into your software application or solu-
tion that your company did not develop or have security oversight over.
This will require an extensive review, typically called a third-party security
assessment, that will be conducted by your software security architect, a
third party, or a combination of both. While it may be tempting to rely
on tools and a cursory review of the open-source development processes,
without the proper training and experience it is easy to misinterpret
results, and difficult to create an actionable remediation strategy. That
is why senior software security architects or the third-party equivalent
must be involved in this review process. They have years of code security
auditing experience, routinely review and mitigate highly complex and
advanced software security and architectural challenges, know how to
identify and examine vulnerable points in design, and can uncover flaws
that may result in a security compromise. Without the proper training
and experience it is easy to misinterpret results, and difficult to create
any necessary actionable remediation strategy. Essentially, the review of
any open-source software or component used in your software product
will require both tool assessment and follow-on threat modeling and risk
assessment conducted by a seasoned software security architect.
4.5 Privacy Information Gathering and Analysis
It is important to consider if the system will transmit, store, or create infor-
mation that may be considered privacy information early in the SDLC.
The gathering of information and identification and plan for implement-
ing proper safeguards and security controls, including processes to address