Last week I had the pleasure of attending the Black Duck customer conference, FLIGHT. It was a fantastic few days filled with rich content, delivered by experts both inside and outside of Black Duck. I had the opportunity to help Phil Odence run the Legal and Compliance track, so I heard legal and development experts from around the world address how they tackle open source management issues in mergers and acquisitions as well cybersecurity concerns and data privacy regulations.
I loved learning about what’s been happening at the Linux Foundation, a presentation delivered by Karen Copenhaver, Partner at Choate and Director of Intellectual Property Strategy at the Linux Foundation. Karen's presentation was packed with data about the pervasiveness of open source in the world today. Here are some of the staggering numbers she presented:
- 41B lines of open source code
- 1,100 new projects per day
- 10,000 new versions per day
- 10,000 lines of code added daily
- 5 changes per hour
- 4,300 contributors from 450 organizations
I had to take a minute to let that sink in. That’s over 400 lines of code added to Linux per hour! It starts to put our mission here at Black Duck into perspective. The open source train has left the proverbial station and it’s clear that the benefits of leveraging open source in the enterprise will only propel it farther down the track.
Linux: An Open Source Foundation
Linux itself has become the most important software in the world. Did you know that Linux powers:
- 99.6% of the supercomputer market
- 82% of the smartphone market
- 90% of public cloud workloads
- the #1 Internet browser client
A Voracious Appetite for Open Source
Open source use isn’t slowing down anytime soon. It will continue to grow exponentially over the next 10 years. It’s estimated that for most applications, 80-90% of the code is open source. So, how do companies continue to innovate and build great products while remaining mindful of how to use open source responsibly? We opened FLIGHT with a presentation by the Jeep Hackers, and I have to say… I don’t ever want my car hacked in the middle of a busy highway! So, the more we can do to ensure software security in connected cars and autonomous vehicles, the better we will be at preventing computers from taking over our cars (at least without explicit permission).
We learned a few key ways to use an open source foundation to build fast and secure at FLIGHT 2017.
1. Choose Open Source Projects with Sustainable Ecosystems
These projects have an active and engaged developer community behind them that provides more longevity. It also helps then stay on top of potential vulnerabilities and provide fixes quickly. Check out Open Hub to see what projects are the most active (and the most popular).
2. Manage Internal Compliance Processes
Have a process for open source use, document that process and govern it on an ongoing basis. This includes maintaining strong IP practices that include clear licensing terms and automated ways of tracking them. Remember, it’s not just about the project you’re using, but also the components used to build it. Having a clear bill of materials helps organizations gain a thorough understanding of their code bases.
3. Adopt Security Best Practices
Get your house in order - build security into your development process. That means not only learning about it and adopting industry best practices, but also staying on top of it. Make security a core competency of your software development team.
4. Measure, Report, Assess
Put processes in place to report back on these key elements of open source management. Doing this can help you quickly assess the longevity of projects, the health, licensing risks and potential security risks associated with the open source your company is using. Having this information when you need it is better than having to scramble in the event of an issue.
At Black Duck we have a wealth of data from our Center for Open Source Research & Innovation (COSRI), and our Open Source Security & Risk Analysis (based on audits of commercial code) showed that 96% of applications scanned contained open source components. I expect that number to increase in the next few years. Not only that, I think that open source as a percentage of the code base will increase as well, with just a small percentage of custom code differentiating for competitive reasons. With an open source foundation, I know we'll be able to build fast — and as a community we need to build responsibly and securely. At Black Duck FLIGHT 2017 a lot of experts and customers joined us to share how they're doing just that.