Board for software standardisation and control

Meetings and meeting materials and highlights are open to the public except for sessions dealing with administrative or confidential matters. ASB meeting materials and highlights. Upcoming meetings and locations. Members of the Committee. Our history of serving the public interest stretches back to Enterprise architecture or enterprise risk groups sometimes take on the responsibility of creating and managing standards review boards.

When the standards are implemented directly as software, the responsible champion might be a DevOps manager, release engineer, or whoever owns the associated deployment artifact e. Open source components included in the software portfolio and integrated at runtime are identified and reviewed to understand their dependencies. Organizations use a variety of tools and metadata provided by delivery pipelines to discover old versions of components with known vulnerabilities or that their software relies on multiple versions of the same component.

Automated tools for finding open source, whether whole components or large chunks of borrowed code, are one way to approach this activity. An informal annual review or a process that relies solely on developers asking for permission does not generate satisfactory results. Some organizations combine composition analysis results from multiple phases of the software lifecycle in order to get a more complete and accurate view of the open source being included.

The SSG works with the legal department to create standard SLA boilerplate for use in contracts with vendors and outsource providers including cloud providers to require software security efforts.

The legal department understands that the boilerplate also helps prevent compliance and privacy problems. Under the agreement, vendors and outsource providers must meet company-mandated software security standards see [CP2. The organization has control over its exposure to the risks that come along with using open source components and all the involved dependencies, including dependencies integrated at runtime.

The use of open source could be restricted to predefined projects or to a short list of open source versions that have been through an approved security screening process, have had unacceptable vulnerabilities remediated, and are made available only through specific internal repositories and containers.

For some use cases, policy might preclude any use of open source. Save to Library Save. Create Alert Alert. Share This Paper. Methods Citations. Figures and Topics from this paper. Citation Type. Has PDF. Publication Type. More Filters.