This message was posted by a user wishing to remain anonymous
Hello,
I am reaching out to this community for any guidance you may have regarding the onboarding and tracking of Opensource/community tools. These tools are categorized by having some form of open license (MIT, Apache, GNU, etc) and not direct contract with an entity.
- What documentation do you collect?
- How do you verify the tool is secure to use?
- Is this part of your TPRM program or managed in your IT dept?
- What sort of continuous monitor procedure do you utilize?
- How does your legal dept get comfortable with the license and lack of other agreement protections?