OWASP Good Component Practices Project
This project will document a set of best practices for managing component vulnerability at three main gateways.
Gateways of Component Vulnerability
When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur:
- Selection of the component and where it came from (provenance)
- Integration of the component into the development environment
- Integration and maintenance of the component within the production environment
We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
Mark Miller 22:04, 24 April 2013 (UTC)
Simplified Framework for Good Component Practices
- Set standards and policy for component usage
- Components must be actively maintained
- Component projects must have a security contact and security announcement list
- Component projects must use security tools and make the results public
- Component projects must have a history of responding to security vulnerability reports in a timely manner
- Component binaries must be generated directly from project source code using trusted tools
- Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
- Identify components needed
Integration into Development Environment
Integration and Maintenance within Production Environment
- Scan runtime enviroment for libraries, frameworks and components
- Monitor components for vulnerabilities
- Use Maven “Versions” plugin to check which components are out of date
- Update risky components
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?