Many open source management practices are ineffective, resulting in unnecessary risk, too much work and undue cost, survey finds
A recent WhiteSource survey of over 120 R&D managers, information security managers, legal experts and compliance professionals examined how companies manage open source with regard to license risks and compliance, as well as security vulnerability management.
The research shows that while virtually all developers use open source extensively, and while most companies spend substantial resources on managing their open source inventory (often implicitly), this effort is largely ineffective, resulting in unnecessary risk, as well as too much work and undue cost.
- 74% of companies spend time and sometimes money to ensure they are properly managing their open source adoption; 12.5% have developed some internal tools; and 10% have purchased software for that purpose.
- Still, 53% companies do not have an up-to-date inventory of all the open source libraries they use. Due to the large effort involved when using traditional solutions such as code scanners, another 29% produce such inventory only once in a few months, e.g., for a major release, or for M&A or OEM. Only 18% become aware of new open source as soon as it is first used by developers.
- Most companies do not have a clear policy with regard to open source licenses, security, and update/patches, or leave these issues to the (often informal) responsibility of individual developers.
– When it comes to licensing, 75% do not have a clear and enforced policy, and only 9% use automated tools to enforce the policies they have.
– When it comes to security vulnerabilities, 74% do not have a process for knowing about security vulnerabilities that arise in open source they use; 13.5% react to such issues when told; and only 12.5% are actively monitoring for security issues.
- Many companies lack management visibility and consistent governance. In 81% of the cases, open source management is left to individual developers or low-level development teams. Only 19% of companies have central guidance and oversight.
“The numbers reported in our survey are probably skewed upward quite substantially because they were taken from companies that exhibit interest in this subject. Many companies spend significant efforts tracking open source usage. These efforts are usually manual and laborious, done by the wrong people (developers), often at the wrong time (in the crunch of a release or OEM/M&A transaction), and are therefore very expensive and extremely ineffective. Most importantly, judging by the results, they simply do not do the job.” said Rami Sass, Co-Founder and CEO of WhiteSource.
“New technologies such as WhiteSource make it easy to continuously track open source usage, and automatically enforce licensing and security policies. WhiteSource plugs into the build server and becomes a native part of the software development lifecycle without burdening developers. New open source modules are discovered as soon as they are added by developers. Their licenses (and those of all of their dependencies) are automatically compared to the company licensing policies, initiating the appropriate approve/reject workflow if necessary. WhiteSource continues to track each open source in use, and will proactively notify each project manager in case of new vulnerabilities or patches”. He added
WhiteSource provides easy-to-use solutions for managing the usage of open source components by developers,to ensure license compliance and reduce security and quality risks.
WhiteSource easily plugs itself into the software development lifecycle, and automatically detects new open source components as soon as they are being entered by developers. Thereafter, WhiteSource continuously provides (1) comprehensive and up-to-date open source inventory reports (down to the last dependency); (2) license risks analysis and compliance reports; and (3) proactive alerts on security vulnerabilities whenever discovered, as well as available fixes.
WhiteSource is easy to setup, requires no training to use, and completely removes the burden from developers. The service is affordable to companies of all sizes. For more information, visit: www.whitesourcesoftware.com.