Finding a good solution

The world of FOSS security solutions is complex. There are many many FOSS security solutions. However not all are good and should be used.

Determining the quality of a FOSS product can be very complex. This guide simplifies determining the quality of FOSS software and gives some simple tips for different use cases.

Choosing a FOSS security solution to use is not easy. To simplify this challenge this guide of FOSS Security Solutions should help.

The aim is to:

• Minimize your search time needed

• Only show cyber security solutions that meet minimum cyber security standards itself.

Using a FOSS cyber security solution can turn become a disaster.

Warning

Choosing and using FOSS software is not simple by default.

Choosing FOSS software that meets your requirements means also evaluating risks. Risks for the usage of FOSS software are comparable to the use of COTS (Commercial Off-The-Shelf) software or Cloud Solutions.

Using this opinionated guide should give you a head start. But for a basic evaluation you can follow the following simple guidelines:

• Check the OpenSSF Scorecard. If no card is available, create a card. Others will benefit also from your action.

• Check if the software is created using the reproducible build process.

• Check if the FOSS license is a valid OSI-license.

• Validate if the solution you want to use is not too complex for the problem you want to solve. Simple software with less dependencies is usually more secure and has less maintenance overhead and costs.

A more detailed list for evaluationg FOSS security software is available here within the Open Security Reference Architecture

Tip

Evaluating if FOSS security software is good enough or not always depends on your context and the problem you must solve.

For a testing environment other requirements apply than for software that is daily used in operation.