SILVER SPRING, MD--(Marketwired - Apr 30, 2013) - Sonatype, the leader in Component Lifecycle Management (CLM), today announced the findings of its annual Open Source Software Development Survey that looks to identify how organizations adopt, use and support open-source software (OSS). This year's survey shows that open-source component use continues to skyrocket with applications now more than 80 percent component-based, while at the same time organizations continue to struggle with establishing policy to secure and govern component use. According to the survey, 76 percent of organizations have no component management policies in-place.
Now in its third year, the 2013 survey saw record participation from more than 3,500 developers, architects and managers across all industries, company sizes and geographic regions -- making it the largest, most comprehensive survey of its kind. The survey findings show that organizations of all sizes have embraced open-source components as the building blocks of modern software. But, the lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk.
Also today, Sonatype announced Sonatype CLM, the first and only solution to secure the entire component lifecycle -- from design, development and deployment through to production. Ushering in a new era of application security aimed at eliminating risk in the modern software supply chain, Sonatype CLM addresses the security needs of the $86 billion custom application software market. It is also the first solution to directly address the 2013 Open Web Application Security Project (OWASP) Top Ten A9 provision: using components with known vulnerabilities.
Key Finding: Open Source Software is Vital to Modern, Agile Development
Open-source component usage has exploded. In 2012, Sonatype's Central Repository registered eight billion component downloads, an 800 percent increase in activity since its inception. Nearly 80 percent of the organizations surveyed report components found in Sonatype's Central Repository to be important or critical to their development efforts. An overwhelming 86 percent of those surveyed believe their applications are at least 80 percent open source with the remaining 20 percent custom components and code, illustrating a dramatic shift in how mission-critical software is built. This paradigm shift is forcing companies to rethink how they manage risk in the age of agile, component-based software development.
Key Finding: Lack of Open Source Policy and/or Enforcement Puts Organizations at Risk
While reliance on open-source components increases year-over-year, limitations on the visibility, control and management of their use continues to be a problem. Of those large organizations surveyed (companies with > 500 developers), an astonishing 76 percent have no control over what components are being used in software development projects and even more alarming is that 65 percent don't maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications.
Despite the widespread acceptance of component-based development, 57 percent of those surveyed lack any policy governing component usage. Organizations with open-source policies in place share that enforcement is a challenge and not a top priority. Developers cite the biggest problem to open-source policy is that it slows development, expectations are unclear or policy is unenforced, and that problems are found too late in the development lifecycle.
The lack of policy enforcement may be due, in part, to confusion over who owns or is responsible for monitoring and managing open-source usage. No single, centralized authority governing open source emerged in the organizations that indicated having a corporate policy. Other contributing factors are that large organizations often are unaware that open source is even being used. Open-source standardization is seen more frequently in organizations with less than 500 developers -- but that doesn't mean large enterprises aren't using open-source frameworks and components. For developers on large teams, 44 percent say they are standardizing on an open-source development infrastructure stack, with 33 percent stating, "It's not our corporate standard, but tons of people use it."
Key Finding: Security Takes a Back Seat to Developer Velocity
In addition to gauging how development teams embrace open-source components, the 2013 survey sought to determine how developers, architects and managers balance the need for speed with the need for security. For large enterprises ( > 500 developers) more than half shared that developers don't focus on security at all. Nearly 20 percent of this group shared they know application security is important but they don't have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely.
Even organizations with an open-source policy are doing very little to prevent security vulnerabilities from creeping in. Only 25 percent of respondents, or one in four organizations surveyed, must prove they're not using components with known vulnerabilities. But due to the high volume of dependencies for each component (often tens or 100s) and the frequency of updates and changes (a typical component is updated four times per year), all organizations concede it's near impossible to monitor and maintain accurate component intelligence.
A Call to Action
Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceeding common -- more than 70 percent of applications contain components with known security flaws classified as severe or critical. Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk. While developers are on the frontlines of application security, making choices every day that affect the quality and security of the applications that run the world, the pressure to add more features and put applications into production quickly comes at a devastating tradeoff -- to go fast or be secure. The survey findings suggest an overwhelming desire by developers for a non-intrusive way to proactively identify, govern and fix flawed components throughout the development lifecycle.
"Our world runs on software and software runs on open-source components," said Wayne Jackson, CEO of Sonatype. "Securing networks and operating systems is not enough to protect the critical data housed in modern applications. As the frontline of defense, developers must be empowered not burdened. A new approach to security is needed, one that balances speed, quality and risk. By informing component choice, pinpointing flaws early in the software lifecycle and offering flexible remediation options, enterprises can better protect against malicious exploit, maintain developer productivity and avoid downstream rework costs."
For a complete view of the survey results and methodology used, visit: http://www.sonatype.com/people/2013/04/sonatype-announces-results-from-oss-survey/. To learn more about best practices for enabling developers to go fast and be secure, visit the Sonatype CLM product page: www.sonatype.com/clm.
Sonatype is leading the component revolution. The company's innovative Component Lifecycle Management (CLM) products enable organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks. Sonatype operates the Central Repository, the industry's primary source for open-source components, serving more than eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and Sonatype's Central Repository. Since that time, Sonatype has been a leader in core open-source software development ecosystem projects used by more than nine million developers including Nexus, m2eclipse, and Hudson. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @Sonatype.
Apache, Apache Maven and Maven are trademarks of the Apache Software Foundation.