Open source adoption: Risk factors for the enterprise

There’s no doubt open source is everywhere. Gartner boldly predicted back in 2008 that within four years, 80 percent of commercial applications will use open source software (OSS) components. By 2016, the analysts estimated that only about 2 percent of the global 2000 companies are not using any open source code in mission critical applications.

These predictions match our experience from hundreds of recent OSS audits performed by Rogue Wave Software for our customers. In 2016, 98 percent of all applications audited and 45 percent of the total files scanned contained OSS. Companies continue to gain strategic competitive advantages when adopting open source, driven by lower total cost of ownership and faster time to market.

However, open source adoption introduces two risk factors to the enterprise: License compliance and security vulnerabilities.

License compliance

Understanding OSS licenses and how to properly interpret them is a unique skill. It’s very easy and common to overlook licensing compliance requirements until legal action is underway.

According to the Rogue Wave 2017 Open Source Support Report, 82 percent of code bases scanned by Rogue Wave have copyleft licenses. Use of such licenses requires organizations to provide access to the source code when the application is distributed. Sixty percent of applications audited contained strong copy left licenses, which require companies to open source their code. Twenty percent of the applications audited contained licenses preventing any use for commercial purposes entirely.

Security vulnerabilities

Applications are rarely developed from scratch; developers greatly benefit from OSS functionality when building applications. However, companies also inherit all the security vulnerabilities from these OSS components and their dependencies. Most IT organizations do not effectively track the origin of the open source code in their applications. Companies also don’t usually maintain an accurate inventory of open source and even if they attempt to comply it’s difficult to clearly associate fragments of open source with their related vulnerabilities. Industry surveys show that only about 30 percent follow a policy when using or acquiring OSS. Enforcement of these policies is often very tricky.

Next steps

To mitigate these risks, it’s important for organizations to gain visibility and control of their OSS licensing and security, and that starts by adopting an encompassing OSS acquisition policy.

In our next blog, we’ll discuss the challenges of establishing an OSS acquistion policy and the shift from on-premise to expert OSS audits.

In the meantime:

Download the 2017 Open Source Support Report and see how to adopt the expertise to design, develop, and improve all aspects of your OSS use.
Sign up for OpenUpdate, a weekly newsletter with information you need to keep critical enterprise systems up-to-date, online, and secure.

The following two tabs change content below.

    Ido Benmoshe

    Ido Benmoshe is VP, global support and professional services, responsible for professional services, training, certification programs, technical support, and solution consulting.

    About Ido Benmoshe

    Ido Benmoshe is VP, global support and professional services, responsible for professional services, training, certification programs, technical support, and solution consulting.

    • Mike Schwartz

      The argument that FOSS software is less secure is speculative. When you look at the track record of commercial companies, Microsoft, Cisco, Oracle etc… what you see is that the security of their software is no better. In fact, a survey found less bugs per 1000 lines of open source code compared to commercial. I’d love to see the author back up his contention with some actual data.

      • Ido Benmoshe

        Thanks for your comment. The claim is not that OSS is less secure or less stable than commercial software. In fact the 2017 Open Source Support Report which analyzes actual support tickets and audits across hundreds of OSS packages shows similar distribution of cases compared to commercial software where about 80% of reported issues are related to usage and configuration not bugs. The claim made is that OSS makes its way into applications or IT environments in different ways and the majority of companies do not effectively track all OSS packages used. We see an average of over 60 different OSS components (from full packages to code snippets) in the applications we scan. When companies are not aware of their OSS inventory they face the risk of not updating their OSS code when new security vulnerabilities are identified.

      • Ido Benmoshe

        Thanks for your comment. The claim is not that OSS is
        less secure or stable than commercial software. In fact the 2017 OSS
        Support report which analyzes actual support tickets and audits across hundreds
        of OSS packages shows similar distribution of cases compared to commercial
        software where about 80% of reported issues are related to usage and
        configuration not bugs. The claim made is that security is a concern as OSS finds its way into
        applications or IT environments in different ways and a large percentage of companies
        do not effectively track all OSS sources and packages used. We see an average of over 60
        different OSS components, from full packages to code snippets in applications we scan. When companies are not aware of their OSS inventory and dependencies, they
        face security risks because they do not realize that their OSS code needs updating as new security vulnerabilities
        are identified and fixed.

        • Mike Schwartz

          Do enterprises do a better job of keeping commercial components up to date? Once an app is working, they are loath to touch it whether it’s using OSS or commercial components. Is the problem worse with Open Source? If not, then it’s not a “open source risk factor” it’s just hard to keep software up-to-date in general.

          • Ido Benmoshe

            Not updating components exposes similar risks for both OSS and commercial code. The challenge you see more with OSS assuming the projects are maintained is awareness of what is actually being deployed. OSS is widely adopted and for many good reasons. Our OSS audits find open source code in 98% of the applications examined and average over 60 different OSS components per app. If you mostly use packaged OSS for example apache, mysql, PHP, Zend Framework, Linux distros, etc or know which components you are using it is easier to track and maintain. But OSS code makes its way into the enterprises in different routes across multiple applications – acquired apps, outsourced apps, in house development, code snippets, libraries, other dependencies, etc. Many companies just do not maintain their OSS inventory.