Survey: Is ‘Somewhat Confident’ in Open Source Good Enough?
A majority of organizations have concerns about using open source software, with the largest organizations expressing the least confidence in their open source management practices, according to a survey that queried 700 technologists, including engineers, software developers, DevOps workers and executives.
Specifically, participants were asked if they felt confident that the open source components they use are secure, up-to-date and well-maintained. Fifteen percent of organizations were “extremely confident” in that regard, according to “The 2022 Open Source Software Supply Chain Survey Report” released this month by open source management provider Tidelift. The New Stack’s Lawrence Hecht was the researcher partner on the project, alongside Chris Grams, head of marketing at Tidelift.
The majority of respondents — 62% — were “somewhat confident” about their open source components, a finding that doesn’t exactly inspire, Grams noted during a July Upstream virtual conference presentation of the results.
“When I was watching the national championship this year, Carolina made it — as anyone who is a fan knows — to the national championship game as a huge underdog […] and they were up by 15 at halftime against Kansas,” said Grams. “I was ‘somewhat confident’ that Carolina was going to win the game and those of you who watched it will remember that Carolina actually lost that game.”
“So, somewhat confident when it comes to ensuring the open source components in your organization are up-to-date, secure and well maintained: Is that good enough?” he added.
An additional 22% were not very or at all confident that open source components were well managed. Still, there are signs of improvement, as Hecht noted in an April tweet, pointing out that “large organizations are feeling better about their open source practices but are still concerned. 26% were not very or not at all confident, which is better last year when 39% reported that they were not very or not at all confident in the security of the OSS components.”
Component Approval Drags Open Source Development
Getting approval to use new open source components is slow and tedious in large organizations, the report found, taking anywhere from one day to one week for half of the respondents. For 39% of respondents, approvals drag on for more than a week to a month or more.
“For this 39%, where it’s taking between a week and a month, or more than a month — can you imagine like 10% of organizations, it takes more than a month to get a new component approved?” Grams said. “I wonder, if you’re a developer at an organization, how that feels like when you’re sitting there waiting for a new component to get approved.”
In the largest organizations, it gets even more bleak, he added. In large organizations of over 10,000, 78% said there is some sort of authorization process for introducing new open source components and 56% reported that the approval process takes a week or more.
“Is it slowing down developers’ ability to use open source really effective?” Grams questioned.
Overall, 61% said their organization did have an approval process for using new open source components, with 38% reporting either no process or an informal process that does not require authorization. Almost half of smaller organizations — those under 1,000 employees — had an informal authorization process or none at all.
The Best Practice That’s Catching On: Central Repositories
One of the best practices recommended by IT analyst firms Gartner and IDC is the use of a centrally managed repository of approved open source components. The main benefits of this approach are that developers can move faster when they know which components are vetted and improve security, according to the report.
Given the stodgy approval process seen at large organizations, it’s perhaps not surprising that this is an emerging trend identified in the report.
The survey found that 65% of organizations are already using or actively piloting a central repository of approved open software components, with large organizations leading the way at 75%. Interestingly, 26% have no plans of using a centralized repository, with 32% of the smallest organizations saying they have no plans to enact a repository.
“I would view this as an emerging trend,” Grams said. “It’s interesting to see that we’re still [in the] early days, but some organizations are starting to use this.”
Tidelift, it should be noted, offers such a solution as part of its product.
Few Aware of Software Supply Chain Compliance
One finding that should put development leaders on notice: Only 37% of those surveyed were aware of the May 2021 White House executive order on cybersecurity requiring organizations that do business with the government to enhance their cybersecurity in their software supply chain, through up-to-date software bills of materials (SBOMs).
“The idea behind this White House executive order is that if you want to sell to the government, you need to bring up your level of cybersecurity,” Grams said. “You need to understand better the provenance of the components you’re using (i.e. where they come from), you need to understand how they’re secure, who’s making them — and in open source that can be fairly challenging.”
That low awareness figure may be related to the timing of the survey, which was out in the field during Log4Shell last December, so Grams said he expects that figure will change significantly in next year’s survey.
As a follow-up question, the survey asked whether current software supply chain security events like SolarWinds were having a large or extremely large impact on how they approach application security.
“Not surprisingly, of these organizations, 42% report that current software supply chain security events like SolarWinds are having a large or extremely large impact on how they approach application security,” the report noted. “Only 15% of organizations see no impact at all.”
That said, 78% of organizations are using SBOMs for application development or plan to in the next year. Only 22 had no plans to use SBOMs. Again, usage is higher at larger organizations, with 84% of respondents reporting they are actively using SBOMs or plan to within the next year.
Not surprisingly, there appears to be relationship between using SBOMs and confidence in open source components. Hecht noted that 87% of organizations using SBOMs have some confidence that their open source components are up-to-date, secure, and well maintained; by comparison 39% of organizations that don’t use SBOMs are not at all or not very confident in their open source components.