Presented at Embedded Systems Conference (ESC) Minneapolis 2018, this session discusses the most effective uses of open source software; how to maintain MISRA, CWE, OWASP, and other standards compliance across all code sources; how to avoid license risk; and reduce critical safety and security issues.
Source: http://www.roguewave.com/resources/white-papers/software-security-begins-with-flaw-free,-standards
Risks of embracing OSS include:
Late releases
Over budget projects
Casualties to life and limb
Blending newly-written, legacy, and open source code
With a complex – and lengthy – supply chain for most embedded development, each software contributor needs to better understand the landscape, the true costs, risks, and how to make the right decisions for when – and how – to use open source software.
Knowing how to manage and support open source software, as well as making sure that licenses, standards compliance, and critical safety and security issues are addressed has taken on a life of its own.
To stay ahead of the best practices and ongoing updates in open source software, an organization needs to have one or two employees dedicated to that task. However, most organizations don’t have the resources to maintain that role, so there needs to be a process, exercising extreme caution around monitoring and implementing community updates.
Some open source updates aren’t as critical as other updates, but it’s a risky game to wait to see what matters. As there are such a high number of updates with open source software, not all of the issues get a lot of media coverage and internet searches fall short of true discovery. This means that organizations can sit for months – or longer – exposed and unaware that a crucial update is available. These updates should be taken as high priority when tracking open source software updates and announcements.