One of the most widely used, most productive, and indispensable elements of application development today is probably the least understood – open source software.
Open source makes up 80-90% of the code in modern software applications and powers global brands such as Netflix, Amazon, Google and Uber.
Yet, consider this finding from a recent report by a leading global research firm: “Open-source software is used within mission-critical IT workloads by over 90% of the IT organizations worldwide, whether they are aware of it or not.”
Think about that: “whether they are aware of it or not." It would seem impossible that something so essential would be an unknown.
To clarify, most organizations are very “aware” that they are using open source because they know it helps reduce development costs, deliver apps to market faster, and innovate, innovate, innovate.
What they don’t know about the open source software they’re using — and this is the case for companies large and small around the globe— is where it’s located in their application code. This puts them at increased risk to open source security vulnerabilities and unmet license obligations.
Know Your Code
Results of Black Duck On-Demand’s open source application security audits conducted during M&A transactions are remarkably consistent in two areas — 95% of the applications contain open source and two-thirds of the applications contain known open source vulnerabilities. Not a healthy ratio.
There’s no doubt that use of open source will continue to increase rapidly because of the economic and productivity value it delivers, but it is important that organizations develop a better understanding of their security risk exposure and implement effective source security and management practices to reduce that risk.
Open Source 360° Survey
The 2017 Open Source 360 Survey launched earlier this week by Black Duck’s Center for Open Source Research & Innovation (COSRI) will play a role in informing and educating today’s open source consumers.
Through the survey, COSRI will aggregate data from open source users throughout the world — and share it— and examine the state of open source in four key areas – usage, risk, contributions and governance/policies.
Created in 2016, COSRI leverages Black Duck’s comprehensive open source data-gathering expertise and skilled teams to conduct cutting-edge open source security, machine-learning and data-mining research. COSRI promotes both the secure use of open source and continuous open source innovation, and shares its findings globally.
Via 2017 Open Source 360 Survey, COSRI will work with many partners in the open source community to collect and deliver useful information and insights. COSRI will aggregate the survey results, analyze the data and deliver a comprehensive report in June.
- Usage: The focus will be on where open source fits in the software application development and deployment strategy rather than simply on how much open source is being used.
- Risk: Few companies have good visibility into where open source is being used and therefore lack necessary controls, placing them at risk to known security vulnerabilities. The survey will provide insights into whether that is changing in light of the heightened attention to cybersecurity.
- Contributions: Companies that once forbade developers from using open source are among today’s most avid contributors to open source projects. This year’s survey will look at contribution trends and report on why companies are contributing.
- Governance & Policies: The increase in open source use has not always been accompanied by well-developed project selection policies or attention to license obligations. The survey will probe whether companies are becoming more conscious of their need to improve their IP quality.
We look forward to reporting on the results and invite you to take the survey.