This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Good Component Practices Project"
Mark Miller (talk | contribs) m |
Mark Miller (talk | contribs) m |
||
| Line 17: | Line 17: | ||
== Simplified Framework for Good Component Practices == | == Simplified Framework for Good Component Practices == | ||
| − | + | === Component Selection === | |
*Set standards and policy for component usage | *Set standards and policy for component usage | ||
**Components must be actively maintained | **Components must be actively maintained | ||
| Line 26: | Line 26: | ||
**Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement | **Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement | ||
*Identify components needed | *Identify components needed | ||
| − | + | === Integration into Development Environment === | |
| − | + | === Integration and Maintenance within Production Environment === | |
*Scan runtime enviroment for libraries, frameworks and components | *Scan runtime enviroment for libraries, frameworks and components | ||
*Monitor components for vulnerabilities | *Monitor components for vulnerabilities | ||
Revision as of 17:34, 25 April 2013
Main
This project will document a set of best practices for managing component vulnerability at three main gateways.
Gateways of Component Vulnerability
When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur:
- Selection of the component and where it came from (provenance)
- Integration of the component into the development environment
- Integration and maintenance of the component within the production environment
We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
Mark Miller 22:04, 24 April 2013 (UTC)
Simplified Framework for Good Component Practices
Component Selection
- Set standards and policy for component usage
- Components must be actively maintained
- Component projects must have a security contact and security announcement list
- Component projects must use security tools and make the results public
- Component projects must have a history of responding to security vulnerability reports in a timely manner
- Component binaries must be generated directly from project source code using trusted tools
- Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
- Identify components needed
Integration into Development Environment
Integration and Maintenance within Production Environment
- Scan runtime enviroment for libraries, frameworks and components
- Monitor components for vulnerabilities
- Use Maven “Versions” plugin to check which components are out of date
- Update risky components
Project About
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||||
