SlideShare a Scribd company logo

All Things Open 2022 - State of OSS Security & Support

Javier Perez
Javier Perez

Presentation about the latest trends in open source software including growth, life cycles, government initiatives, support, and security

Software
1 of 27
Download to read offline
Image by Gerd Altmann from Pixabay Image by Gerd Altmann from Pixabay Javier Perez Chief Evangelist & Sr. Director Product Management, OpenLogic by Perforce The State of Open Source Software, Security & Support
Nice To Meet You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez
2.1M + 1,034 packages per day 504K + 157 packages per day 355K + 87 packages per day 410K + 276 packages per day 328K + 150 packages per day 173K + 15 packages per day Source: Oct 28, 2022 www.modulecounts.com
370+ Projects 420+ Projects 850+ Projects 120+ Projects 40+ Projects
Has your organization increased the use of open source software over the last year? Yes Yes, significantly Remain the same Reduced the use of open source 41% 36% 22% 1.6% YES 77%
Open Source Support Open Source in Organizations & Government Open Source Security
Open Source SDLC Trends • Smaller Releases • CI/CD, Testing & Security Scan Automation • Reduced Number of Supported Releases • Reduced Long-Term Support • Challenging to maintain older versions • Backporting patches • Time consuming • Regression testing Constant Updates Shorter LTS
Release Cadence Long-Term Support and End-of-Life • AngularJS EOL • CentOS • Extended Support beyond LTS?
Source: www.php.net/supported-versions.php PHP
Source: https://endoflife.date Node.js
Risks of Ignoring End-of-Life • Unpatched CVEs means an ongoing and compounding risk of exploit • Incompatibility with newer software • No-compliance (internal policy or industry compliance) • Becoming more complex to upgrade or migrate in the future, more support required • Self Support Cost: Development resources away from their jobs, expertise required
Open Source Support Challenges Keeping up with updates & patches Installation upgrades & configuration Personnel experience & proficiency
• Constant releases and apply security patches • End-of-life versions Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability V1.0.0 V1.0.1 V1.0.2 Keeping Up With Updates and Patches Example: OpenSSL releasing 3.0.7 today
Increased Awareness Open Source Security Today • Identify Inventory: Software Bill of Materials (SBOM) • Security Scans: Vulnerability Detection • Apply Fixes: Patches
• Open source libraries reusability • Depending on the Programming Language libraries can have up to 1000’s of dependencies • A real risk for all software when there are vulnerabilities in dependencies Dependencies and Vulnerabilities * Sources: graphcommons.com
Education Open Source Software Security Mobilization Plan Risk Assessment Top 10K OSS Digital Signatures Move to Memory Safe Languages Incident Response Team Coordinated Public Disclosure Code Reviews Top 200 OSS Industry Data Sharing SBOM Everywhere Enhance Package Management
ISO/IEC 5230 Open Chain Standard • Organization Level License Compliance for every OSS artifact • Documented process • SBOM verification • Open source community engagement License Risk
Open Source and US Government White House Executive Order on Improving Cybersecurity - Working Groups H.R. 7667 Medical Device Security Bill – Vulnerability detection and SBOMs directive The Federal Trade Commission (FTC) advise companies to patch Log4J – Legal Action
Open Source and US Government Cybersecurity and Infrastructure Security Agency (CISA) – Binding directive making vulnerability disclosure mandatory National Security Strategy - Aligning with Orgs & OSS US Senate Securing Open Source Software Act – Best practices assessment framework, OSPO, and hire OSS experts
Open Source Maturity in Organizations Desired Position /Efforts Time Consumers Adopting (cost, time, or modernize) Deploying and complying with licenses Participants Limited contributions to open source Increased use & adoption, business-critical Contributor Contributions to open source projects Investment in open source technologies Leader Launching new open projects & initiatives Establishing Open Source Program Office
Maturity in Organizations by the Numbers Retail has the highest OSS Usage at 60% Manufacturing with the Lowest Rate of Experts 30% Banking, Insurance, Financial Services with most Innersources 19% Healthcare and Pharma with the Highest Rate of OSPOs 21% * Sources: 2022 State of Open Source Report
Open Source Jobs Report Source: The Linux Foundation OSS Jobs Report 93% Of Employers with difficulty finding talent with OSS Skills 77% of orgs are growing their use of cloud-native technologies Most on demand skills: Cloud/Container Technology, Linux, DevOps/GitOps, Cybersecurity, AI/ML, Web Technologies 81% of open source professionals plan to add certifications
Key Takeaways § Open source release life cycles, EOL and LTS are constantly changing § Lessons from CentOS and AngularJS EOL § OSS communities work on security, the key is to keep up with updates and patches § There’s more Open Source Security Awareness and Government participation
Has your organization increased the use of open source software over the last year? Yes Yes, significantly 41% 36% YES 77%
Has your organization increased the use of open source software over the last year? Yes Yes, significantly 50% 35% YES 85% Latest Results
www.research.net/r/state-of-oss Participate in the 2023 State of Open Source
Thank You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez

Recommended

Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
Rogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
Paris Open Source Summit
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 

Recommended

Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
Rogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
Paris Open Source Summit
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
FaithWestdorp
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
Black Duck by Synopsys
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version Control
Perforce
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D Sarkar
Dipayan Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in Cloud
All Things Open
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
DevOps.com
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The Things
All Things Open
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
DevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
Javier Perez
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in Organizations
Javier Perez
 

More Related Content

Similar to All Things Open 2022 - State of OSS Security & Support

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
FaithWestdorp
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
Black Duck by Synopsys
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version Control
Perforce
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D Sarkar
Dipayan Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in Cloud
All Things Open
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
DevOps.com
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The Things
All Things Open
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
DevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 

Similar to All Things Open 2022 - State of OSS Security & Support (20)

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version Control
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in Cloud
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The Things
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 

More from Javier Perez

Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
Javier Perez
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in Organizations
Javier Perez
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentation
Javier Perez
 
Open source and AI keynote
Open source and AI keynoteOpen source and AI keynote
Open source and AI keynote
Javier Perez
 
SacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM ZSacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM Z
Javier Perez
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 
Guide to open source
Guide to open source Guide to open source
Guide to open source
Javier Perez
 

More from Javier Perez (7)

Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in Organizations
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentation
 
Open source and AI keynote
Open source and AI keynoteOpen source and AI keynote
Open source and AI keynote
 
SacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM ZSacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM Z
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
 
Guide to open source
Guide to open source Guide to open source
Guide to open source
 

Recently uploaded

如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with IstioKubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
Severalnines
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabhQuarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
aisafed42
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 

Recently uploaded (20)

如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with IstioKubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabhQuarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 

All Things Open 2022 - State of OSS Security & Support

  • 1. Image by Gerd Altmann from Pixabay Image by Gerd Altmann from Pixabay Javier Perez Chief Evangelist & Sr. Director Product Management, OpenLogic by Perforce The State of Open Source Software, Security & Support
  • 2. Nice To Meet You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez
  • 3. 2.1M + 1,034 packages per day 504K + 157 packages per day 355K + 87 packages per day 410K + 276 packages per day 328K + 150 packages per day 173K + 15 packages per day Source: Oct 28, 2022 www.modulecounts.com
  • 5. Has your organization increased the use of open source software over the last year? Yes Yes, significantly Remain the same Reduced the use of open source 41% 36% 22% 1.6% YES 77%
  • 6. Open Source Support Open Source in Organizations & Government Open Source Security
  • 7. Open Source SDLC Trends • Smaller Releases • CI/CD, Testing & Security Scan Automation • Reduced Number of Supported Releases • Reduced Long-Term Support • Challenging to maintain older versions • Backporting patches • Time consuming • Regression testing Constant Updates Shorter LTS
  • 8. Release Cadence Long-Term Support and End-of-Life • AngularJS EOL • CentOS • Extended Support beyond LTS?
  • 11. Risks of Ignoring End-of-Life • Unpatched CVEs means an ongoing and compounding risk of exploit • Incompatibility with newer software • No-compliance (internal policy or industry compliance) • Becoming more complex to upgrade or migrate in the future, more support required • Self Support Cost: Development resources away from their jobs, expertise required
  • 12. Open Source Support Challenges Keeping up with updates & patches Installation upgrades & configuration Personnel experience & proficiency
  • 13. • Constant releases and apply security patches • End-of-life versions Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability V1.0.0 V1.0.1 V1.0.2 Keeping Up With Updates and Patches Example: OpenSSL releasing 3.0.7 today
  • 14. Increased Awareness Open Source Security Today • Identify Inventory: Software Bill of Materials (SBOM) • Security Scans: Vulnerability Detection • Apply Fixes: Patches
  • 15. • Open source libraries reusability • Depending on the Programming Language libraries can have up to 1000’s of dependencies • A real risk for all software when there are vulnerabilities in dependencies Dependencies and Vulnerabilities * Sources: graphcommons.com
  • 16. Education Open Source Software Security Mobilization Plan Risk Assessment Top 10K OSS Digital Signatures Move to Memory Safe Languages Incident Response Team Coordinated Public Disclosure Code Reviews Top 200 OSS Industry Data Sharing SBOM Everywhere Enhance Package Management
  • 17. ISO/IEC 5230 Open Chain Standard • Organization Level License Compliance for every OSS artifact • Documented process • SBOM verification • Open source community engagement License Risk
  • 18. Open Source and US Government White House Executive Order on Improving Cybersecurity - Working Groups H.R. 7667 Medical Device Security Bill – Vulnerability detection and SBOMs directive The Federal Trade Commission (FTC) advise companies to patch Log4J – Legal Action
  • 19. Open Source and US Government Cybersecurity and Infrastructure Security Agency (CISA) – Binding directive making vulnerability disclosure mandatory National Security Strategy - Aligning with Orgs & OSS US Senate Securing Open Source Software Act – Best practices assessment framework, OSPO, and hire OSS experts
  • 20. Open Source Maturity in Organizations Desired Position /Efforts Time Consumers Adopting (cost, time, or modernize) Deploying and complying with licenses Participants Limited contributions to open source Increased use & adoption, business-critical Contributor Contributions to open source projects Investment in open source technologies Leader Launching new open projects & initiatives Establishing Open Source Program Office
  • 21. Maturity in Organizations by the Numbers Retail has the highest OSS Usage at 60% Manufacturing with the Lowest Rate of Experts 30% Banking, Insurance, Financial Services with most Innersources 19% Healthcare and Pharma with the Highest Rate of OSPOs 21% * Sources: 2022 State of Open Source Report
  • 22. Open Source Jobs Report Source: The Linux Foundation OSS Jobs Report 93% Of Employers with difficulty finding talent with OSS Skills 77% of orgs are growing their use of cloud-native technologies Most on demand skills: Cloud/Container Technology, Linux, DevOps/GitOps, Cybersecurity, AI/ML, Web Technologies 81% of open source professionals plan to add certifications
  • 23. Key Takeaways § Open source release life cycles, EOL and LTS are constantly changing § Lessons from CentOS and AngularJS EOL § OSS communities work on security, the key is to keep up with updates and patches § There’s more Open Source Security Awareness and Government participation
  • 24. Has your organization increased the use of open source software over the last year? Yes Yes, significantly 41% 36% YES 77%
  • 25. Has your organization increased the use of open source software over the last year? Yes Yes, significantly 50% 35% YES 85% Latest Results
  • 27. Thank You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez