[PLUG] Hiring Open Source Contributors

Ishak Micheil isaacem at gmail.com
Sun Dec 7 21:32:24 UTC 2014


On Sun, Dec 7, 2014 at 7:35 AM, Ishak Micheil <isaacem at gmail.com> wrote:

> I think, it really depends on the organization business type. From an
> information security management prospective, we are always very
> conservative when hiring developers who contribute to OSS. Not directly
> related to skill set, but rather the price tag on data loss prevention
> program.


Can you elaborate?

-Denis
_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

I will give you the points and then elaborate.

1- Generate funds
2- Risk Level

Developers are viewed as great asset to an organization; due to the direct
nature of their time will and very likely generated funds. With that in
mind I believe the part of the statements in the NDA (Non-Non-Disclosure
Agreement) is heavily pointing towards developers.

In any organization type that always under great level of pressure from
competition (financial industry for example) in providing the optimal
services to their customers developers play major role. From secure coding,
to neatness and attractive look and feel.

What is that has to do with OSC you may ask?
When a developer is attracted or directly involved in OSC, hiring manager
must pause and analyze, Can that be yet another use case in DLP program?
Indeed comes the answer. From asking simple questions to posting excerpts
from internal or "company owned" code in effort to troubleshooting or
assist in an OSC project, or even flat out share an entire code in effort
to aid or assist in OSC. That will present risk of:
1- Internal classified (company owned) code leaked.
2- More susceptible to social engineering exposure.
3- Great challenge in monitoring and controlling such events and direct
results.

Is it really that big of deal?
Usually it depends on the hiring manager and the department you are
joining. In an information security department, you will indeed face more
scrutiny when you mention OSC.

My advice has always been, when interviewing, keep the OSC card in your
pocket unless you are asked and make sure to point out the understanding of
classified information and follow through with that.

Ishak



More information about the PLUG mailing list