This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Good Component Practices Project"
Mark Miller (talk | contribs) m |
Mark Miller (talk | contribs) m |
||
| Line 1: | Line 1: | ||
| − | =GCP Project | + | =GCP Project Objective= |
| − | This project | + | This project documents a set of best practices for managing open source component vulnerability within enterprise applications. Fundamentally, we are concerned with usage throughout the entire component life cycle, from the time a component is selected for inclusion within the application through its deployment and maintenance within the production environment. |
| + | |||
| + | We will look at each level of vulnerability and establish a series of best practices for managing component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system. | ||
= Gateways of Component Vulnerability = | = Gateways of Component Vulnerability = | ||
When establishing a framework for '''Good Component Practices''', there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment. | When establishing a framework for '''Good Component Practices''', there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment. | ||
| − | =='''Consumption''': Selection of the | + | =='''Consumption''': Selection of the components and where they came from (provenance)== |
=='''Integration''': Component management within the development environment== | =='''Integration''': Component management within the development environment== | ||
=='''Deployment''': Component maintenance within the production environment== | =='''Deployment''': Component maintenance within the production environment== | ||
| − | + | ||
[[User:Mark Miller|Mark Miller]] 22:04, 24 April 2013 (UTC) | [[User:Mark Miller|Mark Miller]] 22:04, 24 April 2013 (UTC) | ||
Revision as of 18:02, 25 April 2013
GCP Project Objective
This project documents a set of best practices for managing open source component vulnerability within enterprise applications. Fundamentally, we are concerned with usage throughout the entire component life cycle, from the time a component is selected for inclusion within the application through its deployment and maintenance within the production environment.
We will look at each level of vulnerability and establish a series of best practices for managing component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
Gateways of Component Vulnerability
When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment.
Consumption: Selection of the components and where they came from (provenance)
Integration: Component management within the development environment
Deployment: Component maintenance within the production environment
Mark Miller 22:04, 24 April 2013 (UTC)
High Level Framework for Good Component Practices
Component Selection
- Set standards and policy for component usage
- Components must be actively maintained
- Component projects must have a security contact and security announcement list
- Component projects must use security tools and make the results public
- Component projects must have a history of responding to security vulnerability reports in a timely manner
- Component binaries must be generated directly from project source code using trusted tools
- Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
- Identify components needed
Integration into Development Environment
Integration and Maintenance within Production Environment
- Scan runtime enviroment for libraries, frameworks and components
- Monitor components for vulnerabilities
- Use Maven “Versions” plugin to check which components are out of date
- Update risky components
Detailed Framework for Good Component Practices
Component Selection
Integration into Development Environment
Integration and Maintenance within Production Environment
Project About
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||||
