Your organization is considering employing open source components in a software development project. Which of the following is the least concern? (Wentz QOTD)
A. Costs
B. Back doors
C. Test coverage
D. Intellectual property
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Test coverage.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When evaluating an open-source component, test coverage is often ignored. Instead, the number of downloads or word-of-mouth plays a crucial role. Even though open-source projects often come with unit testing, test coverage metrics are not standards.
Intellectual property
Open-source software doesn’t belong to the public domain. It is still licensed by the copyright holder.
Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose.
Source: Wikipedia
Costs
It’s not free software either, even though most of the open-source software can be acquired at no cost. Some vendors license software and make the source code open and allow customers to modify them. Some call this source-available or shared source, which can be broadly treated as part of the open-source.
Back Doors
Open-source software is typically regarded as safer than proprietary software, but it’s not risk-free. For example, Chinese hackers target Linux systems with RedXOR backdoor or Huawei (a China manufacturer) attempts inserting backdoor/vulnerability to Linux.
The Public Domain
The term “public domain” refers to creative materials that are not protected by intellectual property laws such as copyright, trademark, or patent laws. The public owns these works, not an individual author or artist. Anyone can use a public domain work without obtaining permission, but no one can ever own it.
Source: Stanford
Reference
您的組織正在考慮在軟件開發項目中使用開源組件。 以下哪一項是最不用擔心的? (Wentz QOTD)
A. 成本
B. 後門
C. 測試覆蓋率
D. 知識產權
Pingback: 在軟體開發項目中使用開源組件,最不關心的是測試覆蓋率 – Choson資安大小事