TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Open Source / Security

Add It Up: Competing Estimates of Open Source Composition

Aug 13th, 2020 9:19am by
Featued image for: Add It Up: Competing Estimates of Open Source Composition

Nine out of 10 components in the average application are open source, according to an analysis of 1,700 apps in Sonatype’s “State of the Software Supply Chain.” In its own report, Synopsys reports 70% of the customer codebases it audited are open source. Those are high-end estimates. A survey of people familiar with application security by ESG provides a lower figure — only 43% believe that more than half of their enterprise’s codebase of open source.

Why the wide variation in numbers? Semantics. A report co-written by Frank Nagle of the Harvard Business School notes that Software Composition Analysis vendors don’t have a common definition of what constitutes a “component.” For example, a package containing many sub-components is considered a separate entity in some data sets. Furthermore, the definition of what constitutes an application is an inherently subjective endeavor.

Only a third of respondents in the ESG study believe that more than 75% of their codebase is protected by application security tools. Is this good or bad? Should we care about the number of lines of code, components, or applications covered?

This is more than an academic debate. Decisions to purchase software are being made based on how much software is at risk. If a product is supposed to identify and resolve issues in dependencies, how should potential buyers benchmark vendor performance? These are the types of questions being addressed by the recently announced Open Source Security Foundation. Stay tuned for more data and analysis about how the growth of open source components is impacting enterprise IT.

Sonatype is a sponsor of The New Stack.

Feature image via Wikimedia.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.