A new report from Bitkom reveals that among companies that use open source, many aren’t sure of the best way to approach open source risk management.
It’s the season for open source reports. The Synopsys Cybersecurity Research Center (CyRC) team is hard at work on the 2020 edition of our annual Open Source Security and Risk Analysis (OSSRA) report, and two other interesting reports focused on open source use have just been released.
I’ve already blogged on the Linux Foundation / Laboratory for Innovation Science at Harvard Vulnerabilities in the Core report, and have just finished reading a translation of Bitkom’s Open Source Monitor, a survey of over 800 German companies on their use of open source. Synopsys was involved with both reports—as one of the software composition analysis companies providing data for the Linux Foundation / LISH report and as one of nine partners supporting the Bitkom survey.
“First,” as the Open Source Monitor survey opens, “the good news.” Nearly 70% of the companies surveyed in Germany (all with at least 100 employees) use open source. That figure increases dramatically when a company approaches enterprise-level size. Seven out of ten companies with 200–499 employees stated that they use open source. Three-quarters with 500–1,999 employees (78%), and as much as 86% with 2,000 or more employees, use open source either internally or for customer products and solutions.
The survey also found that more than half of the surveyed companies use open source “as is,” with no change in the code. Containers, big data and analytics, and cloud computing were the top three technologies—interestingly, all three relatively still-emerging technologies—that companies were using open source components for.
As could be expected—since a primary justification of open source is heightened developer productivity at lower costs—cost savings was cited by the surveyed companies as a major advantage of open source use. Cost savings was followed by better security, freedom from the restrictions of proprietary solutions, and the backing of active communities to address issues and improve code. On the reverse side, the survey notes (1) a lack of resources skilled in open source use and (2) security and licensing issues as concerns of those companies.
The ambivalence about open source shown by the surveyed companies—some seeing security as a distinct advantage but others seeing it as a concern—is something we also saw reflected in last year’s OSSRA report, and probably for the same reasons.
Perhaps your company has policies and processes to manage your use of open source and to keep open source components updated, patched, and secure against known vulnerabilities. If so, you’re probably going to feel that using open source has a distinct advantage over proprietary code thanks to the speed at which known open source vulnerabilities are usually patched by their communities. But if your company doesn’t have those policies and procedures in place, you’re going to worry about open source security.
If your company doesn’t keep an accurate, up-to-date inventory of the open source you’re using (a software bill of materials), not only will you worry about open source security and code quality issues, but you’ll also worry about licensing compliance. And rightly so.
Now for the bad news. As the Open Source Monitor survey reflects, the majority of the companies surveyed have a way to go before their management of open source catches up with their use of open source.
Seventy-nine percent of all the companies surveyed said they have not defined compliance policies (in the sense of license compliance) concerning their open source use, rather than a broader policy that also embraces management of open source security and code quality. The only improvement seen in the survey’s compliance figures comes when the company is integrating open source components into products or solutions for their own customers. In that case, 58% have an open source compliance policy in place—although the 42% that do not should still be of concern.
The Open Source Monitor report notes that many of the companies surveyed appear to be deterred by the complexity of license compliance. This finding is possibly a reflection that they are still in the early stages of maturity when it comes to developing a comprehensive open source risk management strategy. Organizations relying on manual methods like spreadsheets to track their open source—or not using any method at all—are often discouraged by the thought of how putting a compliance strategy in place might affect productivity and costs.
A manual approach to open source vulnerability management can indeed have many drawbacks, including poor accuracy, reduced productivity, and high costs. But while it may seem easier for some companies to just keep doing what they’re doing and hope for the best, there is a much better alternative.
Many organizations turn to an automated solution such as Synopsys’ Black Duck software composition analysis to simplify and automate open source risk management, enabling them to effectively inventory open source in their code, protect against security and other open source risks, and enforce open source compliance policies.
You can find the German Bitkom 2019 Open Source Monitor report here (an English language version is in the works). The report includes a detailed breakdown of various German industries’ use of open source, including automobile manufacturing, financial service providers, energy, IT and telecommunications, traffic and logistics, and public administration.