Security Guidelines for the Usage of Open Source Software

Abstract: Open-source software is in average used in more than 65% of the applications within the domains of enterprise software, retail and e-commerce, cybersecurity and internet of things (Synopsys, 2019). With the frequent use of open-source software, security issues arise which need to be handled. These include among other issues; non-patched vulnerabilities and malicious code (Schryen, 2011). Security guidelines for open-source software usage have been defined by numerous security organizations as an effort to increase effective security handling of open source software within organizations. These guidelines often cover directives on many layers of an organization and are often lacking information necessary for them to be understandable, reliable, and useful to the person using them.The purpose of this study is to contribute to increased software security related to open-source software usage, by exploring and providing information on the topic, and by defining a set of improved security guidelines that cover both what measures to take to minimize security risks, and how to implement it, based on the published state-of-the-art security guidelines for using open-source software.The subject was investigated through a research process focused on answering whether the current state-of-the-art security guidelines could be improved, using a qualitative research type based on a document analysis data collection method. The research was exploratory in its design and the main focus was to explore the subject by trying to answer the posed research question.By investigating the state of contemporary security guidelines found in literature, and evaluating them against a set of desirable attributes for high quality guidelines, it became evident that the contemporary guidelines couldbe improved. An effort was therefore made to build on the found guidelines and improve them by trying to resolve the issues found through the evaluation.The effort of trying to improve existing guidelines resulted in a new set of guidelines including added information and reformulations, however, the changes made could not be said to be conclusive or objective improvements. Instead they present suggestions for how and in what aspects the contemporary guidelines could be improved.