This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Good Component Practices Project
GCP Project Objectives
This project will document a set of best practices for managing component vulnerability at three main gateways.
Gateways of Component Vulnerability
When establishing a framework for Good Component Practices, there are three gateways at which a vulnerability may occur. Each of these gateways need to be policed and monitored to block or eliminate the inclusion of vulnerable components. In this section, we describe the gateways vulnerable components can be recognized and monitored for reduced risk: Consumption, Integration and Deployment.
Consumption: Selection of the component and where it came from (provenance)
Integration: Component management within the development environment
Deployment: Component maintenance within the production environment
We will look at each level of vulnerability and establish a series of best practices for managing the component usage at that level. The conclusion of the project will be a set of best practices for managing open source components as part of a larger application within an enterprise system.
Mark Miller 22:04, 24 April 2013 (UTC)
High Level Framework for Good Component Practices
Component Selection
- Set standards and policy for component usage
- Components must be actively maintained
- Component projects must have a security contact and security announcement list
- Component projects must use security tools and make the results public
- Component projects must have a history of responding to security vulnerability reports in a timely manner
- Component binaries must be generated directly from project source code using trusted tools
- Components with known vulnerabilities must be removed or updated within 1 month of vulnerability announcement
- Identify components needed
Integration into Development Environment
Integration and Maintenance within Production Environment
- Scan runtime enviroment for libraries, frameworks and components
- Monitor components for vulnerabilities
- Use Maven “Versions” plugin to check which components are out of date
- Update risky components
Detailed Framework for Good Component Practices
Component Selection
Integration into Development Environment
Integration and Maintenance within Production Environment
Project About
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|