Open source is losing (process) control

Sonatype’s annual Open Source Development Survey asserts to be the “largest of its kind” surveying (as it claims) more than 3,500 developers, architects and IT managers – all of whom currently classify themselves as users of open source technology.

Although this type of survey is always questionable to a degree with questions that are (arguably) contrived and loaded to produce the right answers… some interesting “suggestions” at least have come to light.

The 80% open source app factor

Key findings “suggest” that much open source usage today comprises of software assembled from open source components and frameworks downloaded from repositories to the extent of at least 80% of the app.

But – and here’s the big BUT…

… the study also “suggests” that very few organisations have the controls or processes to identify which components are in use, to govern their usage, or to eradicate flawed components from production applications.

“An overwhelming majority (76 percent of respondents) shared that they have no control over what components are being used in software development projects, and 65% cited a failure to maintain an inventory of components used in production applications,” says Sonotype.

New threat identified by OWASP

In line with news of this survey — the Open Web Application Security Project (OWASP) Top Ten list now (for the firm time) includes “using components with known vulnerabilities” as a top threat to application security at #9.

The firm further argues that, “[We need a software chain that is] developer friendly and continuous to keep pace with Agile practices and address ongoing threats in real-time. Sonatype announces today the launch of Sonatype CLM, the first and only solution to secure the entire component lifecycle and the first comprehensive solution that directly addresses OWASP A9.”

component downloads from central.jpg

OSS policy in place.jpg