FOSS Guardrails: Security protocols and processes

We used to have devices running embedded software but never connected to other computers or networked in any way, however, this has changed in past decade or two with internet, the default designs are online first. This poses a security risk of sizeable proportions, Open-source has a very robust mechanism to address security vulnerabilities, therefore build upon the existing vulnerability management systems for Open-Source

• Ensure a process to regularly monitor and patch vulnerabilities in FOSS components.
• Create internal security workgroups and mailing lists.
• If you maintain open-source components, setup provisions for reporting vulnerabilities.
• Collaborate with the respective open-source component communities.
• Integrate open-source security into broader security framework at your organization.
• Incident response plans should include open-source.
• Deploy tools to collect and monitor information about CVEs.
• Make security as preliminary criteria for making choices for OS, Build systems, tools.

Security should be in every part of what you do, not an afterthought. If ignored or implemented as add-on it can result in loss of feature velocity, unhappy developers, and diminished quality