BANGALORE, INDIA: In challenging economic times, how do internal application development teams continue to deliver higher quality software and Web applications with fewer resources? Unlike in past economic downturns, development teams today have a resource they can turn to in order to lower the costs of development, maintain high-quality, and decrease cost of ownership for the long run: open source software.

The use of open source, one of the most groundbreaking trends in the software industry, is more than just for experimental or for internal-use only. With experience in auditing billions of lines of code for Fortune 100 as well as start-up companies, Palamida has seen some of the most productive and cost-saving use of open source from market leaders across all industries.

Palamida has reviewed 25 open source projects that have proven to be among the most reliable, innovative, and enterprise-ready open source projects available on the market. 

Whether it is starting with these 25 open source projects or others, organizations should be thinking about broadening their open source use to help trim engineering budgets and bridge the gap from reduced staff.

Adopting and Managing Open Source Securely

Because of its self-service support and maintenance conventions and informal procurement process, open source software often requires different management techniques than commercial software.

Organizations that employ best practices in open source software management maximize the benefits of open source and minimize any security or operational risks. A best practices management workflow does not have to be disruptive, once policy and procedures are established. Each organization’s own implementation will be different, depending on size and business model, but will always contain the following stages: assessment, policy, open source repository, code audit, and ongoing management.

Assessment
A process must be in place for assessment and registration of open source introduced into the code base by individual developers. An organization should establish an Open Source Review Board, which in small companies may consist of one person, while in larger ones, it might consist of multiple members representing cross-functional roles. The best system is one that enables auto-approvals based on defined criteria, and brings only the exceptional cases to the attention of authorizing personnel.

Policy
An open source policy is critical to any open source management process. It defines the criteria for allowable open source use. Policies can range from broad and simple to more granular and tightly managed; policies are typically dependent on an organization’s business and software distribution model.

Open Source Repository
As organizations take time to review and approve open source projects and license terms and obligations, they can establish a “gold vault” of versions approved for use. The existence of an open source repository greatly reduces the risk of including outdated, vulnerable or unstable project versions. It also makes it easier for security and management teams to track and monitor patch, remediation and version updates.

Code Audit
Code audits are essential for ensuring adherence to policy. Audits can be done manually through simple string search or with automated tools triggered by build systems. Depending on the size of the organization, code audits can be conducted continually during the development and QA cycle or at a specific checkpoint stages.

Organizations should ensure that their chosen audit methodology enables identification via source or binary code to ensure they do not miss any open source in use. The most important result of the code audit should be a clear, concise inventory listing all open source software in use, version, description, and location in the code base. The inventory should reveal that all open source is in compliance with corporate policy and alert users to any open source that is not.

Ongoing Management After Shipment or Deployment
Effective open source management requires tracking open source components, their attributes (including their versions and download origin), license terms and compliance, their owners within the organization, and where they are used. Most important, however, is the ongoing ability of security professionals and managers to receive new security vulnerability alerts regarding open source projects in use.

The smallest organizations may find that manually monitoring various open source community pages may be sufficient. Most organizations, however, are already using dozens to hundreds of open source projects. Since they cannot manually monitor hundreds of open source community sites, these organizations need to rely on an automated system that will push them new security information and patch and update alerts.