Difference between revisions of "OWASP Good Component Practices Project"

From OWASP
Jump to: navigation, search
m
m
Line 1: Line 1:
=Main=
+
=GCP Project Objectives=
  
 
This project will document a set of best practices for managing component vulnerability at three main gateways.  
 
This project will document a set of best practices for managing component vulnerability at three main gateways.  
  
== Gateways of Component Vulnerability ==
+
= Gateways of Component Vulnerability =
+
When establishing a framework for '''Good Component Practices''', there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment.
When establishing a framework for '''Good Component Practices''', there are three gateways at which a vulnerability may occur:
+
=='''Consumption''': Selection of the component and where it came from (provenance)==
<br /><br />
+
=='''Integration''': Component management within the development environment==
#Selection of the component and where it came from (provenance)
+
=='''Deployment''': Component maintenance within the production environment==
#Integration of the component into the development environment
+
#Integration and maintenance of the component within the production environment
+
<br />
+
 
We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
 
We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
  
 
[[User:Mark Miller|Mark Miller]] 22:04, 24 April 2013 (UTC)
 
[[User:Mark Miller|Mark Miller]] 22:04, 24 April 2013 (UTC)
  
== Simplified Framework for Good Component Practices ==
+
= High Level Framework for Good Component Practices =
  
=== Component Selection ===
+
== Component Selection ==
 
*Set standards and policy for component usage
 
*Set standards and policy for component usage
 
**Components must be actively maintained
 
**Components must be actively maintained
Line 26: Line 23:
 
**Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
 
**Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
 
*Identify components needed
 
*Identify components needed
=== Integration into Development Environment ===
+
== Integration into Development Environment ==
  
 
+
== Integration and Maintenance within Production Environment ==
=== Integration and Maintenance within Production Environment ===
+
 
*Scan runtime enviroment for libraries, frameworks and components
 
*Scan runtime enviroment for libraries, frameworks and components
 
*Monitor components for vulnerabilities
 
*Monitor components for vulnerabilities
 
**Use Maven “Versions” plugin to check which components are out of date
 
**Use Maven “Versions” plugin to check which components are out of date
 
*Update risky components
 
*Update risky components
 +
 +
= Detailed Framework for Good Component Practices =
 +
 +
== Component Selection ==
 +
== Integration into Development Environment ==
 +
== Integration and Maintenance within Production Environment ==
  
 
=Project About=
 
=Project About=

Revision as of 12:52, 25 April 2013

Contents

GCP Project Objectives

This project will document a set of best practices for managing component vulnerability at three main gateways.

Gateways of Component Vulnerability

When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment.

Consumption: Selection of the component and where it came from (provenance)

Integration: Component management within the development environment

Deployment: Component maintenance within the production environment

We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.

Mark Miller 22:04, 24 April 2013 (UTC)

High Level Framework for Good Component Practices

Component Selection

  • Set standards and policy for component usage
    • Components must be actively maintained
    • Component projects must have a security contact and security announcement list
    • Component projects must use security tools and make the results public
    • Component projects must have a history of responding to security vulnerability reports in a timely manner
    • Component binaries must be generated directly from project source code using trusted tools
    • Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
  • Identify components needed

Integration into Development Environment

Integration and Maintenance within Production Environment

  • Scan runtime enviroment for libraries, frameworks and components
  • Monitor components for vulnerabilities
    • Use Maven “Versions” plugin to check which components are out of date
  • Update risky components

Detailed Framework for Good Component Practices

Component Selection

Integration into Development Environment

Integration and Maintenance within Production Environment

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Good Component Practices Project (home page)
Purpose: Good Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.

This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components.

License: Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
who is working on this project?
Project Leader(s):
  • Mark Miller @
Project Contributor(s):
  • Trusted Software Alliance
  • Sonatype
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Mark Miller @ to contribute to this project
  • Contact Mark Miller @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases