Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cclements
Newcomer II
‎08-15-2023 09:49 AM
‎08-15-2023 09:49 AM

Open-source policy templates

Dear ISC^2 Colleagues,

 

I've been tasked with creating a policy that governs the adoption, use, and contribution to open-source projects, libraries, and software.  I started with NIST and CSF to find their recommendations but haven't found much more than "the organization devises an open-source policy".

 

I've identified some concerns.  Firstly, what are your suggestions?  Did I miss something? Secondly, do you have a template or actual policy you can share that will serve as a jumping off point?

 

  1. License (which open-source licenses shall we permit).
  2. Sanctioning process - establish a process by which open-source projects, code, libraries, or software is reviewed and "sanctioned for use".  The result shall be a curated repository of projects or packages, or perhaps a list?
    1. Favor popular projects.
    2. Observe the patch frequency.
    3. Observe response to vulnerabilities.
  3. Mandatory SCA for projects using third party (open source) libraries,
  4. Create a process by which a security lead is informed of vulnerabilities in a sanctioned project.
  5. Manual code review (this may not be practical.
  6. Create a policy addressing contribution to open-source projects.  Consider the protection of the company's IP. 

 

Thanks!

Chris

 

 

Reply
10 Replies
cclements
Newcomer II
‎08-18-2023 10:03 AM
‎08-18-2023 10:03 AM

Thank you for sharing this link.
Reply