A Voracious Appetite for Open Source Software Worldwide

A Voracious Appetite for Open Source Software Worldwide

At Black Duck Software, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them on how to build better code. Earlier this year, Black Duck’s Center for Open Source Research and Innovation (COSRI) released the Open Source Software Risk Analysis Report (OSSRA), which distilled data from over 1000 customer audits performed by the Black Duck On-Demand Audit team. Building on these results, we’re releasing the results of our Open Source 360⁰ survey.

The Open Source 360⁰ survey was sent to contributors, practitioners, and consumers of open source solutions. The goal of this survey was to identify key areas where open source software development is thriving, and identify risks and challenges as it continues to grow. The survey had over 800 respondents globally — spanning industries from financial services through manufacturing and retail to technology companies. Nearly 60% of respondents increased usage of open source code, following strong usage growth in 2016. A lack of vendor lock-in and the ability to customize the software were viewed as two of the key reasons respondents choose to use open source code.

Open Source development has become the norm in modern organizations, in part because it offers an opportunity to increase development speed while reducing the monetary cost of the software. This reduction in monetary cost is offset by an increase in collaborative responsibility, which increases both security and compliance risks if not accounted for.

Watch the Open Source 360 Results WebinarReduce Risk When Using Open Source Components

While I’d love to say that everyone recognizes that free software isn’t a risk-free proposition, that simply isn’t the case. At every event I’ve spoken at this year, at least one attendee admits to not knowing what open source components are present in their environment. Rephrasing this statement in security terms – at least one attendee at each event had no clear view of the attack surface in their environment.

Our survey respondents admitted to being concerned about open source vulnerabilities exposing both internal (64%) and external (71%) applications to exploits. Slightly over 50% of respondents used tools to scan for open source. A full 38% of respondents don't review code for open source at all! When combined with the OSSRA report, many organizations consuming open source components have significant opportunities for risk mitigation while reaping the benefits of open source software. A key to reducing risk is using an automated tool to clearly identify open source in the codebase, a practice that unfortunately wasn’t common within survey respondents.

Become an Active Participant in Projects

One way to significantly reduce open source risk is to become an active participant in key projects. While the survey found 66% of organizations supported active contribution to open source projects, only 24% dedicated full-time development resources to specific open source projects. I was happy to see that many respondents' organizations encouraged active project participation by employees, and not surprised that 53% specifically encouraged contributions of bug fixes and small feature enhancements.

For many open source projects, community support via bug fixes are a key component to project vibrancy and thus success. Unlike commercial software where support agreements are created in return for license fees, the success of an open source project is a direct function of the activity level of its community. By encouraging participation in open source projects and sponsoring open source projects strategic to their business, many organizations are helping ensure continued success of the project and reducing associated risks. Why do our respondents participate in open source projects? The top four reasons were:

  • fix bugs or add functionality
  • reduce development and support costs
  • fundamental to product delivery strategy
  • gain competitive advantage

Open source is fundamental to the product delivery strategy for many respondents, making active participation in open source communities more important than ever.

Understand License Obligations

All software is subject to some form of license. The license identifies any rights granted while also stating obligations the licensor expects you to follow. Open source software is no different, but developers have choice in the selection of license type — each with its own set of obligations. Often those obligations are transferred when the software is shipped or delivered to a third party, and fulfilling those obligations requires an understanding of what they are. 66% of our survey respondents are concerned with loss of intellectual property or other licensing risks.

39% of respondents indicated that they use a whitelist of acceptable open source licenses,  yet only 37% provide internal access to open source licensing, security and version information. While having a corporate governance policy for license usage is a best practice, compliance with that policy requires an understanding of precisely which licenses are being used and by which components. Only 29% of respondents had an automated solution for inventorying open source in use and identifying policy violations and security risks at various points in the software development lifecycle (SDLC), while only 15% strictly enforced their policies with automated controls.

We continue to see enormous growth in use of open source across all industries and in businesses of every size. Most organizations are using open source because it helps reduce development costs, deliver apps to market faster, and innovate. This survey shows how important it is that organizations develop a better understanding of their software composition and awareness of compliance security risks. 

A detailed presentation of the complete Open Source 360° Survey results is available on the Black Duck website. Watch my COSRI webinar discussion of the survey findings (presented on June 22), and send your question your questions.

This year’s Open Source 360° Survey conducted by Black Duck’s COSRI is the successor to the former Future of Open Source Survey, co-presented for many years by Black Duck and North Bridge.

Key Takeaways from the Open Source 360 Survey 2017

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Should You Replace Apache Struts? Maybe. Or, Maybe Not.

| Sep 14, 2017

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution

| MORE >

RSA Singapore Review - The Perils of Security Hubris

| Aug 4, 2017

With RSA Singapore now in the books, it’s time to look back on the event and a core theme of experiential learning. The stage was set for this with IBM’s Diana Keely highlighting how today’s attacks are rather reminiscent of successful tactics from the past — a form of cyber groundhog day. She

| MORE >