OWASP Good Component Practices Project

=Main=

This project will document a set of best practices for managing component vulnerability at three main gateways.

Gateways of Component Vulnerability
When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur:


 * 1) Selection of the component and where it came from (provenance)
 * 2) Integration of the component into the development environment
 * 3) Integration and maintenance of the component within the production environment

We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.

Mark Miller 22:04, 24 April 2013 (UTC)

Component Selection

 * Set standards and policy for component usage
 * Components must be actively maintained
 * Component projects must have a security contact and security announcement list
 * Component projects must use security tools and make the results public
 * Component projects must have a history of responding to security vulnerability reports in a timely manner
 * Component binaries must be generated directly from project source code using trusted tools
 * Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
 * Identify components needed

Integration and Maintenance within Production Environment

 * Scan runtime enviroment for libraries, frameworks and components
 * Monitor components for vulnerabilities
 * Use Maven “Versions” plugin to check which components are out of date
 * Update risky components

=Project About=