I think we can agree that open source is at the heart of most modern applications. These days, we find open source in the operating platform (operating system, database, or application server), the application framework and the modules and libraries used for key functionality. Open source is simply transformative in every industry, comprising between 60% and 80% of the application codebase.
It may seem like 1998 is a random time to start estimating custom vs. open source code, given that Linux was released in 1991, while Richard Stallman's GNU project launched in 1983 and the Emacs editor was written in 1976. However, the term open source itself became more widely recognized at an event technology publisher Tim O'Reilly organized in 1998. Many excellent and well-known open source projects launched in the 1990s, such as GIMP, Ruby, Apache and OpenOffice (to name just a few). Still, to the larger development population, open source continued to comprise a small percentage of the code base.
In 2008 open source got a huge boost when Google released Chromium, the project that the Chrome browser runs on. Google then followed with Android and Chromium OS, which quickly opened up open source in the mobile environment. Anyone with a modern cell phone knows that there are many, many apps written for Android and the iPhone OS. Without a doubt, the explosion of the internet and then mobile devices contributed greatly to the growth of open source in 2008. We estimate that it grew to about 30-50% open source code in applications by 2008.
This brings us to today. In 2016, we think open source is between 60-80% of the code base. In our Open Source Security Analysis 2016, we found that about 35% of the code in each application was open source — twice as much open source as the code owners anticipated. There are many reasons for the growth of open source, as cited by participants in our Future of Open Source Survey:
- Increased development speed
- Reduced development costs and accelerated time to market
- Competitive features and technical capabilities
Open Source Growth
How does open source achieve these key benefits? Among other benefits, it enables developers to use open source code for the pieces of their applications that aren't unique— the clock, calendar scheduling functionality for example. Then developers creating custom code can focus on building proprietary functionality, creating intellectual property and delivering competitive differentiation. The combination of open source and custom code creates huge opportunities for application developers to build robust applications in a more agile environment.
Impact for Application Security?
It's reasonable to wonder how this explosion in open source usage has changed application security. There are a lot of excellent tools that address application security for custom code, and there's no denying that these tools are important. Static Analysis Security Testing (SAST) does a fantastic job of parsing and analyzing source or binary code. Dynamic Application Security Testing (DAST) tests the application while it is running to expose potential vulnerabilities. However, the inclusion of open source in so many of our applications today changes what works in application security testing. Organizations need to look at the growth of open source in their code base and acknowledge that their security investments need to address the growing risk in the application layer.
Our On-Demand audits are a great source of information for anyone wanting to learn about open source in application security. Often these audits are part of a merger or acquisition deal, where one party or the other is trying to ascertain whether there are any security, legal or operational risks in the code base before proceeding with a deal. All that data was anonymized so we could take a look at the big picture. Our findings can help developers and organizations understand the risks at the application layer, so they can continue to open source safely and securely to speed innovation in applications and containers. Check out our infographic on open source in application security.