This document summarizes the findings of a survey about open source software usage. It finds that open source usage has increased significantly and is now core to most organizations' IT infrastructure. However, many organizations still do not have formal processes for managing open source use and risks. Common risks include unreviewed code, lack of responsibility for security issues, and incomplete vulnerability tracking. The document recommends that organizations improve open source governance, automate reviews, and participate more actively in open source communities to help address ongoing risks from open source use.
8. #OSS360
Open Source Awareness is Organization Wide
Legal Professional
VP/C-Level Executive
Development
Manager/Director
Other
Security Professional
Systems Architect/CTO
IT Operations/DevOps
Professional
Software Developer
65% of respondents are
developers, IT
operations, system
architects, security
professionals
10. #OSS360
60% Increased Open Source Usage
26% Remained Constant
Momentum for Open Source Continues to Increase
86% of organizations report Open Source use
increased or remained constant
11. #OSS360
Organizations Use Open Source to…
16%
28%
69%
69%
77%
Embed in hardware products
Develop open source software
Power our infrastructure
Create customer applications
Build internal applications
12. #OSS360
Open Source Fulfills Strategic Objectives
37%
44%
55%
55%
67%
84%
Availablity of skilled developers
Code quality and security
Rate of innovation
Functionality
Freedom to customize code
Low cost with no vendor lock-in
13. #OSS360
Open Source is Core to IT Infrastructure
52%
53%
57%
Systems Management/Operating Systems
Containers/DevOps/Virtualization/Cloud
Computing
Development Tools/Software Development
Lifecycle
14. #OSS360
The Impact of Open Source is Significant
55%
61%
63%
Improves interoperability of systems
Improves quality of solutions we build
Speeds innovation
16. #OSS360
Organizations Recognize Benefits to Participation
34%
46%
53%
Deliver product as open source
Encourage active engagement and
contributions
Fix and enhance existing projects
17. #OSS360
Contributions Reduce Overall Cost of Ownership
Shift From 2016
69% Fix Bugs
33% Reduce Costs
37%
38%
49%
55%
Gain competitive advantage
Fundamental to our product
strategy
Reduce development and support
costs
Fix bugs or add functionality
18. #OSS360
Open Source Community Involvement is Healthy and Growing
48%
said the number of people
contributing to open source in their
organization is increasing.
25%
have more than 50% of their
developers contributing to one
or more OSS projects
20. #OSS360
Organizations Understand Open Source Risks ….
53.5%
53.7%
54.6%
Comply with open source licenses
Monitor project and version usage
Aware of known security vulnerabilities
21. #OSS360
…. But Open Source is Still Unmanaged in Most Organizations
60%
don’t have a formal
process for managing
open source or are
unaware of one in their
organization
OVER
Other (please specify)
2%
I don’t know
16%
No, we do not have a
formal process
45%
Yes - Multiple
departmental processes
10%
Yes - standardized
company-wide process
27%
Other
37%
22. #OSS360
Respondents Highlighted Successful Open Source Policies …
33%
39%
39%
42%
Policy guidance in developer tools
Approved open source licenses
Approved open source components
Structured review process for components
23. #OSS360
… But Organizations Still Struggle With Enforcement
24% Policy provides recommendations
but is not reviewed or enforced
14% Code is manually reviewed but
policy is not consistently enforced
Only 15% indicated enforcement with automated controls,
while 25% review code via manual controls and enforcement
25. #OSS360
Organizations Highlight Ongoing Open Source Risks ….
61%
64%
66%
71%
74%
Adherence to internal development policies
Exposure of internal systems to exploitation
Intellectual property concerns
Exploitation of public facing applications
Unknown quality of components
26. #OSS360
50% Indicated open source reviews rely primarily on developer information
38% Don’t review code for open source
…. But Open Source Reviews Aren’t Thorough
45% review for open
source code usage
during development
27. #OSS360
Open Source Code Review Models
23%
27%
28%
38%
String search and visual inspection
Internally developed tools
Third party tools
No open source code review
Over 60% had no
structured open source
code review process
28. #OSS360
Manual Vulnerability Assessments Challenge Security Orgs
25%
have no process for
identifying, tracking or
remediating known open
source vulnerabilities
OVER
50%
say internal resources
manually identify and track
remediation of known open
source vulnerabilities
OVER
29. #OSS360
57% Developers responsible for identifying and tracking open source vulnerabilities
40% Security Team takes ownership of tracking code usage
26% Nobody has explicit responsibility
Shift From 2016
50% revealed no team took
responsibility for tracking
open source vulnerabilities
Open Source Security Is a Shared Responsibility
31. #OSS360
2017 Insights
• The world’s appetite for open source software
continues at a furious pace.
• Open source solutions reduce development costs
and increase time to market
• Awareness of security risks in open source
components is increasing
• Even if organizations aren’t aware of their open
source usage, open source is present in IT
workloads in 90% of organizations
32. #OSS360
Open Source is Fundamental to Modern Software
Driving Us Forward
• Default development model for new apps
• Builds on the success of others
• Shares critical expertise between orgs
• Accelerates product innovation
• Solves critical business problems
• Improves IT processes
33. #OSS360
Challenges Ahead
• Effective management of open source is not keeping
pace with its increased usage
• High profile vulnerabilities highlight a need for
greater security process
• Lack of automation opens the
door to increased risk
34. #OSS360
Own Your Success – Participate in OSS Communities
Active community engagement …
• Increases project vibrancy
• Ensures project longevity and innovation
• Reduces security risks
• Ensures bugs are fixed quickly and properly
Get involved.
Build something amazing.
Have fun.
Welcome to the Open Source 360 webinar, now in its eleventh year. For those of you have seen the Future of OpenSource Survey from Black Duck and NorthBridge in past years, this is the 2017 incarnation of that work.
We want to extend a thank you to our collaborators, a survey of this magnitude would not be possible without your involvement. Our platinum collatorators extended the reach of the survey and were instrumental in understanding the impact of our results in a global marketplace. They also provided detailed case studies which are part of the slideshare deck on the Black Duck Software slideshare page. Today’s presentation contains a subset of this information and will also be on my slideshare. Attendees will receive links to these decks following our presentation.
http://slideshare.net/blackducksoftware
To set the stage for todays webinar, we’re going to start by looking at the core demographics behind the data and from there look at how open source is used in organizations. We’ll cover open source adoption, what “Open Source Risk” risk means, and how to manage and remediate those risks.
The Open Source 360° Survey included global participation from IT professionals in 91 countries. Major technology powerhouses such as the US, Germany, UK, Canada and India featured prominently in the results. Last year’s survey saw responses from 64 countries and the increase is partly attributable to the role open source technologies play in creating technology independence.
Infographic
Infographic
Infographic
Infographic
Infographic
Infographic
Most Organizations Encourage Developers and Contribute Bug Fixes. Some Go Well Beyond That.
Infographic
Infographic
Infographic
Infographic
Infographic
Even if organizations aren’t aware of their open source usage, open source is present in IT workloads in 90% of organizations