Do I need to change the OSS in my product? Making informed decisions. presented at BSidesManchester 2019

by Alex Burrage,

Summary : Open Source software runs the world - some estimates say upwards of 90% of lines of code in products come from Open Sources. While this has been a huge advantage, OSS comes with a different security debt and risk model, compared to tradition software development. Everyday, project leaders are making at hoc, instinctual decisions about their projects, because they do not have the tools to be more accurate.In this talk I will discuss the various factors that contribute to the amount of security risk introduced by third party OSS, and discuss the factors that should go into making an informed decision about whether to keep or replace OSS in your codebase. These include past performance, the development team, release cycle, code complexity and so on. Other, real world factors that come into play are dev team experience, alternatives, the proportion of the code used and patching possibilities. Providing these quantifiable factors will allow better decisions to be made by all, and for the overall security debt to be better understood, and better managed.