Open Source Contribution Takes a Hit as Security Concerns Grow
Most organizations are using open source, but just a slim majority are encouraging contribution back to the open source community, according to Anaconda’s recent State of Data Science report. However, security concerns exacted a cost this past year.
The report, which queried nearly 3,500 individuals around the world, found that 51.99% of commercial respondents said their teams are encouraged to contribute to open source projects. That’s nearly a 13% decrease from 2021, when 65% encouraged contribution.
Additionally, while 32% said they were not encouraged to give back to open source, 16% responded that they “didn’t know.”
What’s changed? The report theorized that it may be due to security concerns. Indeed, nearly 25% of professional respondents said the Log4j breach and protestware did trigger some organizations to scale back their open software usage. On top of that, 31% of professionals stated security vulnerabilities are the biggest challenge in the open source community.
“…we called out the approximate 13% YoY decrease in the number of commercial respondents who said their teams are encouraged to contribute to open-source projects,” the report states. “It’s possible that the 13.48% increase in the fear of vulnerabilities, potential exposures, or risks is related to this change.”
Among the 8 percent of respondents whose organizations don’t use open source software, 54% cited fear of vulnerabilities, exposure or risk as the biggest reason — a 13% increase year over year.
Securing the Open Source Pipeline
It’s worth noting that it’s mostly IT that controls the use of open source software. Among commercial respondents whose organizations allow the use of open source software, 88.99% indicated that IT controls company open source tools and packages to some extent, with 56.49% indicating that IT controls most or all company open source tools and packages, the report noted.
Not surprisingly, most organizations take steps to secure open source software:
- 40% say they use vulnerability and security scanning software
- 33% create and use custom and proprietary software, and
- 27% do manual model and application audits.
Of the rest, only about 9% are not securing their open-source supply chains, and 24% aren’t sure.
The report also looked at how organizations are securing their open source supply chain and found:
- 43% use a managed repository,
- 36% use a vulnerability scanner,
- 35% perform manual checks against a vulnerability database,
- 19% are not securing their open source pipelines, and
- 23 % aren’t sure.
How do employers encourage employees to give back to open source? It varies, with 54% dedicating time and 51% dedicating funding specifically to open source project development. Another 37% dedicate team members to contributing to open source projects. Four percent responded “other.”
The Language of Choice: Python
This is a data science report, and out of the wide range of job titles participating in the study, the most was data scientists at 16%. Another 8% were data engineers, while 13% were students and 8% identified as developers. So it makes sense that the language of choice for respondents was Python, with 58 percent saying they always or frequently use Python. Only 6 percent said they had never used Python.
“And why wouldn’t Python be the most popular programming language?” the report states. “It’s an accessible language that makes a wide variety of programming-driven tasks possible. There are hundreds of thousands of Python packages available, making Python applicable to many use cases. As such, Python is often used by non-programmers and students in addition to programming experts, and it makes a great teaching language for AI (artificial intelligence) and ML (machine learning).”
If academia is an indication, Python may be the language of choice for a long time: 61% of the survey’s academic-track respondents indicated their institutions are teaching Python to students of data science and machine learning, and 81.08% of student-track respondents indicated Python is covered in their courses.
Anaconda seems determined to make that happen, noting the steps it has taken to ensure Python can be used in the browser.
“Anocanda pioneered the use of Python for data science, and in the past year we’ve taken big steps toward our goal of democratizing data science and advancing Python accessibility,” the report noted. “We developed PyScript, a framework that allows users to create rich Python applications in the browser, and acquired PythonAnywhere, a cloud-based Python development and hosting environment that simplifies the web development process and empowers teams to write programs from any modern web browser.”