Add It Up: Competing Estimates of Open Source Composition
Nine out of 10 components in the average application are open source, according to an analysis of 1,700 apps in Sonatype’s “State of the Software Supply Chain.” In its own report, Synopsys reports 70% of the customer codebases it audited are open source. Those are high-end estimates. A survey of people familiar with application security by ESG provides a lower figure — only 43% believe that more than half of their enterprise’s codebase of open source.
Why the wide variation in numbers? Semantics. A report co-written by Frank Nagle of the Harvard Business School notes that Software Composition Analysis vendors don’t have a common definition of what constitutes a “component.” For example, a package containing many sub-components is considered a separate entity in some data sets. Furthermore, the definition of what constitutes an application is an inherently subjective endeavor.
Only a third of respondents in the ESG study believe that more than 75% of their codebase is protected by application security tools. Is this good or bad? Should we care about the number of lines of code, components, or applications covered?
This is more than an academic debate. Decisions to purchase software are being made based on how much software is at risk. If a product is supposed to identify and resolve issues in dependencies, how should potential buyers benchmark vendor performance? These are the types of questions being addressed by the recently announced Open Source Security Foundation. Stay tuned for more data and analysis about how the growth of open source components is impacting enterprise IT.
Sonatype is a sponsor of The New Stack.
Feature image via Wikimedia.