Done translating

sources/talk/20140811 How to Achieve Better Security With Proper Management of Open Source.md

@@ -1,67 +0,0 @@
-[sailing]
-How to Achieve Better Security With Proper Management of Open Source
-================================================================================
-![Bill Ledingham is the Chief Technology Officer (CTO) and Executive Vice President of Engineering at Black Duck Software.](http://www.linux.com/images/stories/41373/Bill-Ledingham.jpg)
-Bill Ledingham is the Chief Technology Officer (CTO) and Executive Vice President of Engineering at Black Duck Software.
-
-Companies increasingly understand that the key to developing innovative software faster and better than the competition is through the use of open source software (OSS). It’s nearly impossible to use only commercially sourced code and get your software to market with the speed and cost constraints required by today’s product life cycles. Without the ability to choose and integrate best-of-breed OSS, some of the greatest product ideas might never see the light of day.
-
-With the use of open source, however, comes a different set of challenges. While your teams can gain speed and agility, it’s often more difficult to ascertain the code’s true origin and assure that it is secure.
-
-As the OpenSSL Heartbleed vulnerability proved, not knowing what code is in your application or finished product can potentially create critical security threats that require time-consuming remediation efforts. Conversely, having an accurate inventory of what OSS components and versions are used and where can prove invaluable for quickly responding to and remediating vulnerabilities.
-
-### It’s What’s Inside That Counts ###
-
-The Heartbleed bug reminded developers and companies just how important security is. While there has been widespread debate over whether proprietary or open source software is more secure, the issue is largely moot. The reality is that code defects exist in most pieces of software, regardless of origin, and some affect security.
-
-Security challenges can become even more complex when open source is integrated with internal, proprietary code. In addition to the obvious risk of not properly managing license compliance, tracking code origins and use throughout an organization can become very difficult, very quickly.
-
-To have a truly accurate understanding of your potential vulnerabilities, you need to understand three things:
-
-1. What code is in your current products and applications?
-1. What code is being used in the front end of the development process and where are developers acquiring these components?
-1. What components are being used at the back end of the process and where does code need to be validated before it is deployed?
-
-### Assessing the Situation ###
-
-All companies should check their code against common vulnerability databases, such as the United States National Institute of Standards and Technology’s [National Vulnerability Database][1] (NVD). Resources like the NVD track security vulnerabilities and provide severity rankings to help companies keep their code secure and up to date.
-
-If you’ve never reviewed your code against a vulnerability database, it may seem like a daunting task. Fortunately, there are [tools][2] that leverage these databases to regularly and automatically identify all open source security vulnerabilities, alerting and tracking where affected components are in use and in need of remediation.
-
-Continuously monitoring your codebase helps guarantee that unknown code is identified, code origin is understood, license information is up to date and future security vulnerabilities are quickly flagged for resolution. If your company has an accurate code inventory in place, you can easily find vulnerable code and remediate it to ensure your business – and your customers – remain secure.
-
-### Preventing Future Problems ###
-
-Most developers are attracted to OSS because it’s easy to access and free to acquire, usually allowing them to forgo a formal procurement process. Yet, while many development organizations have policies or guidelines for open source use, they are not always enforced and often not properly tracked. It’s important to track what code is coming into your organization, whether it’s been approved for use and where it’s used throughout your organization.
-
-Once you know what you have, you need to establish governance. By implementing a management framework throughout the development process, you can ensure accurate descriptions of the code are captured and eliminate questions as to what code is where and whether it’s up to date. Manually managing this process is nearly impossible, which is why best-in-class companies actively manage their use of open source through automated code management and audit solutions.
-
-Although every company and development team is different, the following processes have been proven to help organizations of all sizes manage and secure their use of OSS:
-
-- **Automate Approvals and Cataloging** – Capture and track all relevant attributes of OSS components, assess license compliance and review possible security vulnerabilities through automated scanning, approval and inventory processes.
-- 
-- **Maintain Updated Code Versions** – Assess code quality and make sure your product is built using the most updated versions of the code. 
-- 
-- **Verify Code** – Evaluate all OSS in use; audit code for security, license, or export risk and remediate any issues.
-- 
-- **Ensure Compliance** – Create and implement an open source policy, establish an automated compliance process to ensure open source policies, regulations, legal obligations, etc., are followed across the organization.
-
-### Active Management is Key ###
-
-As the use of software across industries proliferates, open source will continue to play a crucial role in developing the newest innovations. To prevent security vulnerabilities in this increasingly complex environment, companies must actively manage the flow of open source throughout their organization and establish processes to regularly check their code against vulnerability databases for fast and easy remediation.
-
-*Bill Ledingham is the Chief Technology Officer (CTO) and Executive Vice President of Engineering at Black Duck Software. Previously, Bill was CTO of Verdasys, a leader in information and cyber security, where he worked closely with leading Global 2000 companies and government organizations to safeguard their most sensitive information. Bill has been on the founding team of four companies, is active in the Boston start-up community, and has been a partner/investor with CommonAngels for the past 6 years.*
-
---------------------------------------------------------------------------------
-
-via: http://www.linux.com/news/software/applications/782953-how-to-achieve-better-security-by-proper-management-of-open-source
-
-作者：[Bill Ledingham][a]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux中国](http://linux.cn/) 荣誉推出
-
-[a]:http://www.linux.com/community/forums/person/59656
-[1]:http://nvd.nist.gov/
-[2]:http://www.blackducksoftware.com/oss-logistics/secure

translated/talk/How to Achieve Better Security With Proper Management of Open Source.md

@@ -5,6 +5,62 @@ Bill Ledingham 是 Black Duck Software 公司的首席技术官（CTO）兼工
 
 越来越多的公司意识到，要想比对手率先开发出高质量具有创造性的软件，关键在于积极使用开源项目。软件版本更迭要求市场推广速度足够快，成本足够低，而仅仅使用商业源代码已经无法满足这些需求了。如果不能选择最合适的开源软件集成到自己的项目里，一些令人称道的点子怕是永无出头之日了。
 
-然而，使用开源软件也要面对新的挑战。一方面，你的团队从开源软件中汲取力量变得更快更灵活，另一方面，开源代码在传播过程中是否经历了不可控修改、安全性该如何保障的问题却日益凸显了出来。
+然而，使用开源软件也要面对新的挑战。一方面，你的团队从开源软件中汲取力量变得更快更灵活，另一方面，开源代码在传播过程中是否经历了不可控修改、安全性该如何保障的问题也日益凸显了出来。
 
 OpenSSL Heartbleed 漏洞已经证实。如果你不了解你的应用程序或者已发布的产品中到底运行着什么代码，那你就可能面临需要大量时间才能解决的潜在安全威胁。相反，如果对项目里什么地方使用了什么版本的开源组件都了如指掌，一旦遇到漏洞，响应速度和解决速度都会是千金不换的。
+
+### 安全性藏在代码内部 ###
+
+Heartbleed bug 让开发人员和企业知道了软件安全性有多重要。专利软件和开源软件哪个更安全？这场广泛受到关注的讨论并没有一个简单的结论。现实情况是，不论是专利软件还是开源软件，它们绝大部分都有缺陷，其中一些缺陷还威胁到软件的安全性。
+
+如果开源软件被内部代码、专利代码引用了，那开发人员将不得不面对更复杂的安全性挑战。要是管理授权许可的手段再不恰当，那想追溯一段代码的来源和引用就得把相关人员全都牵连进来，难度必然急剧增加。
+
+要想切实了解你软件的潜在漏洞，首先你得理解以下三件事儿：
+
+1. 你的产品和应用程序里现在跑着什么代码？
+2. 那些开发前期使用的代码，开发人员是从哪儿弄来的？
+3. 开发后期使用了哪些组件，这些组件有哪些地方要在部署之前充分测试？
+
+### 现状怎么样 ###
+
+所有企业都应该对比常见漏洞数据库——比如美国国家标准与技术学会的[国家漏洞数据库][1]（NVD）——来检查他们的代码。NVD 等组织追踪并收集了各种安全漏洞的信息以及排名，这些数据可以协助企业确保代码及时更新，规避安全风险。
+
+如果你从没对照漏洞数据库检查过你的代码，那你可有的忙了。好在我们有个可以利用这些数据库定期自动识别开源安全漏洞的[工具][2]，这个工具还可以警示和追踪项目中使用的受影响的开源组件并提供必要的解决方案。
+
+持续监控你的代码库能保证及时发现未知代码、了解代码来源、授权信息不会过时、安全漏洞一旦出现就能第一时间掌握并寻求解决方案。如果你的公司有详细的代码清单，你就能轻而易举地找到漏洞所在并及时修复，确保你的业务和客户不会面临危险。
+
+### 预防未来的问题 ###
+
+相当多开发人员青睐开源软件是因为开源软件易于获得且免费，他们不用为此再走采购流程。目前来看，尽管很多开源组织都有自己的使用策略或使用指引，他们却并没有强制使用者遵守，也没有追查使用者是否遵守。知道你的组织将会使用哪些开源代码、这些代码是否有授权、你的组织中什么地方引用了它们是非常重要的。
+
+你知道你用了什么代码之后，就该好好整理它们了。你可以实现一个贯穿整个开发流程的管理框架，这样你可以掌握每段代码的详细信息，不用再在诸如代码更新了没有、什么时候更新的以及在哪儿更新的这类问题上浪费时间。手工管理这些信息不大可能，所以一流公司都使用自动化代码管理和审查工具。
+
+虽然每个公司、每个开发团队都面临各不相同的问题，但实践证明下面几条安全管理经验对使用开源软件的任何规模的组织都有意义：
+
+- **自动认证并分类** - 捕捉并追踪开源组件的相关属性，评估授权许可，自动扫描可能出现的安全漏洞，自动认证并归档。
+-
+- **维护最新代码的版本** - 评估代码质量，确保你的产品使用的是最新版本的代码。
+-
+- **评估代码** - 评估所有在使用的开源代码；审查代码安全性、授权许可、列出风险并予以解决。
+-
+- **确保代码合法** - 创建并实现开源政策，建立自动化合规检查流程确保开源政策、法规、法律责任等符合开源组织的要求。
+
+### 关键是，要让管理流程运作起来 ###
+
+随着软件飞速渗入各行各业，开放源代码将在创新发展的道路上扮演越来越重要的角色。为了规避安全问题给日益复杂的环境带来的风险，企业必须运行起一套管理其组织中开源代码使用情况的流程，构筑一个定期对照漏洞数据库检查代码并快速消除风险的流程。
+
+*作者 Bill Ledingham 是 Black Duck Software 公司的首席技术官（CTO）兼工程执行副总裁。在这之前，Bill 是 Verdasys 的首席技术官，领导信息和网络安全团队为全球顶尖的 2000 家公司和政府机构提供敏感信息的安全保障。 Bill 曾经与人合伙创办过四家公司，现在活跃于波士顿创业社区，作为 CommonAngels 的合作伙伴和投资人迄今已有 6 年历史。
+
+--------------------------------------------------------------------------------
+
+via: http://www.linux.com/news/software/applications/782953-how-to-achieve-better-security-by-proper-management-of-open-source
+
+作者：[Bill Ledingham][a]
+译者：[sailing](https://github.com/sailing)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux中国](http://linux.cn/) 荣誉推出
+
+[a]:http://www.linux.com/community/forums/person/59656
+[1]:http://nvd.nist.gov/
+[2]:http://www.blackducksoftware.com/oss-logistics/secure