Only 32% of teams maintain a detailed record of the open-source components in their software stacks, according to a survey released today of 2,550 developers, architects and IT managers. This is caused by a variety of factors and can be rectified by having a strong open-source management policy, and by making sure teams enforce it, according to Charles Gold, chief marketing officer of software company Sonatype, which did the survey.
Gold said companies that do not maintain a “bill of materials,” or record of the components in custom applications, are at risk for security vulnerabilities. “Open-source software does not [prompt] users to update,” he said, adding that some vulnerabilities have been fixed for years and are not implemented by companies because of their lack of insight into application stack components.
Sonatype’s newest product is a repository system called Insight, which the company described as a solution for tracking the bill of materials for components used in open-source projects as part of an open-source governance plan.
Sonatype’s Open Source Software Development Survey also found that only 50% of those surveyed said their company has an open-source software policy, said Gold. For most, he added, the policy is not effective or is crippling development cycles. He said this is both a technical problem and an awareness issue.
The IT department is not always aware of what is assembled in a custom software solution, he said, adding that developers, for the most part, take different portions of open-source coding and then write their own custom code on top of it. The problem with this is if teams do not create and maintain a bill of materials for what they add, the IT department cannot stay on top of updates or change out different components as needed.
Despite these flaws, Sonatype found that more companies than before are using open-source components, and Gold said that most companies have standardized their infrastructure for using these stacks.
He said that Sonatype recommends that companies looking to establish an effective policy start by creating a bill of materials for all their mission-critical applications, and then educate teams on what can and cannot be used.
Finally, Gold said that teams should look into developing and deploying tools that can manage the open-source software and tools that give IT departments visibility into stacks.