There’s no doubt open source is everywhere. Gartner boldly predicted back in 2008 that within four years, 80 percent of commercial applications will use open source software (OSS) components. By 2016, the analysts estimated that only about 2 percent of the global 2000 companies are not using any open source code in mission critical applications.
These predictions match our experience from hundreds of recent OSS audits performed by Rogue Wave Software for our customers. In 2016, 98 percent of all applications audited and 45 percent of the total files scanned contained OSS. Companies continue to gain strategic competitive advantages when adopting open source, driven by lower total cost of ownership and faster time to market.
However, open source adoption introduces two risk factors to the enterprise: License compliance and security vulnerabilities.
Understanding OSS licenses and how to properly interpret them is a unique skill. It’s very easy and common to overlook licensing compliance requirements until legal action is underway.
According to the Rogue Wave 2017 Open Source Support Report, 82 percent of code bases scanned by Rogue Wave have copyleft licenses. Use of such licenses requires organizations to provide access to the source code when the application is distributed. Sixty percent of applications audited contained strong copy left licenses, which require companies to open source their code. Twenty percent of the applications audited contained licenses preventing any use for commercial purposes entirely.
Applications are rarely developed from scratch; developers greatly benefit from OSS functionality when building applications. However, companies also inherit all the security vulnerabilities from these OSS components and their dependencies. Most IT organizations do not effectively track the origin of the open source code in their applications. Companies also don’t usually maintain an accurate inventory of open source and even if they attempt to comply it’s difficult to clearly associate fragments of open source with their related vulnerabilities. Industry surveys show that only about 30 percent follow a policy when using or acquiring OSS. Enforcement of these policies is often very tricky.
To mitigate these risks, it’s important for organizations to gain visibility and control of their OSS licensing and security, and that starts by adopting an encompassing OSS acquisition policy.
In our next blog, we’ll discuss the challenges of establishing an OSS acquistion policy and the shift from on-premise to expert OSS audits.
In the meantime:
• Download the 2017 Open Source Support Report and see how to adopt the expertise to design, develop, and improve all aspects of your OSS use.
• Sign up for OpenUpdate, a weekly newsletter with information you need to keep critical enterprise systems up-to-date, online, and secure.