Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/20/2015
12:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Most Companies Lack Formal Policies to Manage Open Source Security Risks

North Bridge and Black Duck Software announce ninth annual Future of Open Source survey results, revealing trends in corporate OSS use

Burlington, MA – April 16, 2015 – Black Duck Software, the leading OSS Logistics solutions provider enabling the secure management of open source code, and North Bridge, a seed-to-growth venture capital firm, today announced the results of the ninth annual Future of Open Source Survey, which investigates open source software (OSS) trends on a yearly basis. The results from the 2015 survey reflect the increasing adoption of open source and highlight the abundance of organizations participating in the open source community. The need for formal policies and management is growing as open source use becomes increasingly pervasive.

“We look forward to analyzing the results of the Future of Open Source survey each year as it helps us validate the trends we’ve seen with customers to help discover open source in a company’s code base, identify known security vulnerabilities, and track remediation,” said Lou Shipley, CEO, Black Duck Software. “In the results this year, it has become more evident that companies need their management and governance of open source to catch up to their usage. This is critical to reducing potential security, legal, and operational risks while allowing companies to reap the full benefits OSS provides.”

The abundance of corporate open source adoption and participation across industries, and companies of all sizes, has reached an all-time high. Even companies that may have historically relied on more proprietary technologies are realizing they face a competitive disadvantage by not participating in open source projects. Survey results highlight record levels of corporate participation in open source, as well as the greater impact it is having on technology and security. Open source continues to speed innovation, disrupt industries, and improve productivity; however, a reported lack of formal company policies and processes around its consumption points to a need for OSS management and security practices to catch up with this growth in investment and use.

Corporate Open Source Use and Participation Reaches All-Time High

·         Seventy-eight percent of respondents said their companies run part or all of its operations on OSS and 66 percent said their company creates software for customers built on open source. This statistic has nearly doubled since 2010, when 42 percent of respondents in the Future of Open Source survey five years ago said that they used open source in the running of their business or their IT environments.

·         Ninety-three percent said their organization’s use of open source increased or remained the same in the past year.

·         Sixty-four percent of companies currently participate in open source projects – up from 50 percent in 2014 – and over the next 2-3 years, 88 percent are expected to increase contributions to open source projects.

·         Open source has become the default approach for software with more than 66 percent of respondents saying they consider OSS before other options.

OSS Shapes the Future of Technology and Security

·         Fifty-eight percent believe open source affords the greatest ability to scale and 43 percent said OSS provides superior ease of deployment over proprietary software.

·         Fifty-five percent believe open source delivers superior security when lined up against proprietary solutions. The superior security of open source is also expected to rise to 61 percent over the next 2-3 years.

·         When evaluating security technologies for internal use, 45 percent of respondents said open source options are given first consideration.

·         Cloud computing (39%), big data (35%), operating systems (33%), and the Internet of Things (31%) are expected to be impacted most by open source in the next 2-3 years.

Companies Still Lack Formal Policies to Manage Open Source Use

·         More than 55 percent of respondents said their company has no formal policy or procedure for open source consumption. Moreover, only 27 percent have a formal policy for employee contributions to OSS projects.

·         A mere 16 percent have an automated code approval process and less than 42 percent maintain an inventory of open source components.

·         More than 50 percent are not satisfied with their ability to understand known security vulnerabilities in open source components, and only 17 percent plan to monitor open source code for security vulnerabilities.

“Open source has solidified its position as the default base for software development. It is infiltrating almost every facet of the modern enterprise and is outperforming proprietary packages on quality, cost, customization and security. In the startup community we are seeing a continued wave of open source born companies – the next wave of Red Hat, Acquia and Ubuntu while at the same time seeing traditional IT leaders such as H-P and Microsoft grafting open source DNA into their core” said Paul Santinelli, General Partner at North Bridge. “In the coming years, we will see open source unlock the potential of a new generation of technologies – the Internet of Things, big data and cloud computing creating many billions in value.”

Don’t miss the live panel discussion of this year’s Future of Open Source Survey results. Register for the April 16th webinar at 2pm EST for real-world insights from the following open source industry experts:

·         Jeffrey Hammond, Principal Analyst at Forrester Research (@jhammond)

·         Paul Santinelli, Partner at North Bridge Venture Partners (@paulsantinelli)

·         Jane Silber, CEO of Canonical (@silbs)

·         Bill Weinberg, Senior Director of Open Source Strategy at Black Duck Software (@LinuxPundit)

For more survey data, visit: http://www.slideshare.net/blackducksoftware/2015-future-of-open-source-survey-results. Follow @futureofOSS and join the #FutureOSS conversations on Twitter. Visit www.northbridge.com/open-source for all surveys published since 2008 and read more about the industry at the Open Source Delivers blog.

About Black Duck Software

Black Duck Software is the leading OSS Logistics solution provider, enabling enterprises of every size to securely manage open source code and optimize the opportunities that come with open source adoption and management. As part of the greater open source community, Black Duck connects developers to comprehensive open source software (OSS) resources through The Black Duck Open Hub (formerly Ohloh) and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck is headquartered in Boston and has offices in San Mateo, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul, and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity, and improved efficiency, visit www.blackducksoftware.com and follow the company at @black_duck_sw.

 About North Bridge:

North Bridge actively partners with founders and entrepreneurs of market-leading companies, who are using technology to disrupt and reinvent big markets. With $3.8 billion of capital under management, the firm has funded more than 170 companies creating many billions in market value. Among those firms are Acquia, Actifio, Clarity Software Systems, Dyn, Demandware, Proto Labs, Starent Networks, Seniorlink, Smart Pak and Valence Health. The firm has offices in Waltham, MA and Palo Alto, CA. To learn more about North Bridge go to www.northbridge.com and follow the company @North_Bridge.

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
CVE-2021-32623
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
CVE-2021-32676
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...