There are commercial products/services out that that attempt to provide validated OSS packages and monitor when the ones you are using have vulnerabilities.<p>In the data science world, there is anaconda, For the enterprise, there is black duck software, myget, libraries.io and the commerical variant, and a few others.<p>My internal checklist:
1) Is the license OSI approved (IP indemnification and IP taint is a risk)
2) What's the community like for it (is it well used, do security incidents get tracked handled quickly)
3) What security assurance have they done (some OSS has funders who have paid for testing, what kind of test suites do they have).
4) Add security alerts for the OSS to my RSS feeds to help monitor
5) Enforce a policy to sync to upstream pretty frequently as many OSS security bugs get silently fixed<p>If I don't have confidence at this point, I will have some static analysis performed (lots of tools here) as a last measure sanity check. I know lots of bugs won't be uncovered by that, but it's an indicator of development goodness.<p>Would love to hear what others are doing as we are a small shop and use 1000+ OSS packages.
Oddly, whether a project has at least one CVE reported could be interpreted in favor of the project.
<a href="https://www.cvedetails.com" rel="nofollow">https://www.cvedetails.com</a><p>Do they have a security disclosure policy? A dedicated security mailing list?<p>Do they pay bounties or participate in e.g Pwn2own?<p>Do they cryptographically sign releases?<p>Do they cryptographically sign VCS tags (~releases)? commits? `git tag -s` / `git commit/merge -S`
<a href="https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work" rel="nofollow">https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work</a><p>Downstream packagers do sometimes/often apply additional patches and then sign <i>their</i> release with the repo (and thus system global) GPG key.<p>Whether they require "Signed-off-by" may indicate that the project has mature controls and possibly a formal code review process requirement.
(Look for "Signed-off-by:" in the release branch (`git commit/merge -s/--signoff`)<p>How have they integrated security review into their [iterative] release workflow?<p>Is the software formally verified? Are parts of the software implementation or spec formally verified?<p>Does the system trust the channel? The host? Is it a 'trustless' system?<p>What are the single points of failure?<p>How is logging configured? To syslog?<p>Do they run the app as root in a Docker container? Does it require privileged containers?<p>If it has to run as root, does it drop privileges at startup?<p>Does the package have an SELinux or AppArmor policy? (Or does it say e.g. "just set SELinux to permissive mode)<p>Is there someone you can pay to support the software in an enterprise environment? Open or closed, such contacts basically never accept liability; but if there is an SLA, do you get a pro-rated bill?<p>As far as indicators of actual software quality:<p>How much test coverage is there? Line coverage or statement coverage?<p>Do they run static analysis tools for all pull requests and releases? Dynamic analysis? Fuzzing?<p>Of course, closed or open source projects may do none or all of these and still be totally secure, insecure, or unsecure.