Security Considerations When Including Open Source Software
Publish date: Jun 19, 2019
Before choosing to include a third party / open source software in your project, ask yourself these questions.
Is it necessary?
Can your product and should your product consider engaging with this library?
- Is it really needed and none of the libraries already integrated in your product do this job?
- Is it legally compatible?
- Is it mature enough and not relatively nascent?
Is it safe?
Then come the security related questions.
- Is it being actively maintained and issues being fixed?
- Are there no open/unfixed known security issues?
- Are you integrating with the latest available stable version?
Is it maintainable?
Finally, if you end up using it.
- Are the enhancements/fixes we make, restricted to our product or are they generic enough that they could be contributed back to open source ecosystem?
- Have you added it to your list of OSS to update whenever there are patch fixes and new releases for the library?