Why Do Only 37% of Companies Have Open Source Management Solutions?

Open source turned 21 this year, following the launch of the Open Source Initiative in February 1998. With that milestone comes maturity: resilience, responsibility, approachability, and growth. Open source software (OSS) is ubiquitous and for a very good reason: it helps companies innovate better and faster. But there are still risks inherent in version updates, bug reports, patches and more.

These risks can be identified and managed through open source audits. I’ve been working in open source software (OSS) for a very long time. Just ten years ago, audits of OSS were considered optional parts of due diligence or adjunct to acquisitions. Today, they’re no longer optional. They reveal answers about who wrote the OSS, where it is deployed, any existing issues, and whether or not the issues have been fixed.

I haven’t counted, but I have probably done more than 1,000 open source audits over the years going back to 2007. (Back in those days, we dealt with things like BusyBox). I’ve seen companies maximize the full use of open source by implementing a quality open source management program. Open source clearly helps a company innovate and be successful. The companies that manage open source well are the same companies innovating with IoT and digital transformation. Financially speaking, these companies tend to be fast growing.

The opposite is also true: many companies are at risk—both for compliance and security—because they don’t put appropriate time and resources into managing their open source. Good management of open source is not hard or expensive to do, but it’s a business essential that requires focus and commitment.

What does this risk look like in practice? A well-known example, with wide-ranging ramifications for businesses and clients, comes from credit reporting agency Equifax. It suffered a data breach in 2017 that impacted an estimated 143 million people. (There’s a good chance your personal information was part of the leak.) An open source audit could have helped prevent this breach, had the vulnerable Apache 2.0 licensed Java web framework Struts2 been identified. Instead, that vulnerability was exploited.

Flexera recently looked at data from 134 open source audits done by our Software Composition Analysis (SCA) group. One of the most interesting things is still that, after all these years, only 37% of companies have open source management solutions in place.

That two-thirds of companies leave themselves open to serious vulnerabilities may be alarming. In fact, it should be. A lot of us who live and breathe open source might not be surprised by the rest of these stats, though.

The Flexera 2019 State of Open Source License Compliance report addresses these vulnerabilities in detail, but I want to call attention to a few key details:

Insights Before Audits

Most development teams use open source. A previous Flexera study shows that more than 50 percent of the code found in most commercial software packages is open source. However, if that code is unmanaged and not tracked through a formal structure that turns reactive steps into a proactive strategy, what you don’t know can hurt you. In the Flexera study, only 2 percent of the issues eventually uncovered were initially disclosed.

Frequency Security and Compliance Issues

Highly critical issues may be lurking. On average, the Flexera audit teams find one issue within every 32,873 lines of code. That might sound like a small number, but it’s not, especially when you think about the sheer volume of lines of code that make up your software product. Most applications now have well over 1,000,000 lines of code (with a risk of 30 issues); many applications have more than 100,000,000 lines of code (with a risk of 3,042 issues).

Priority Levels

Flexera discovered an average of 367 issues per audit project and that 16 percent of those issues are Priority Level 1 (P1)—requiring immediate attention because they pose a critical compliance and/or security threat. Ten percent of issues found were P2 (secondary priority issues related to commercial and vanity licenses, often with unusual terms and conditions). The remaining 71 percent were P3 (low-risk hygiene issues related to permissive license issues, such as those under BSD, Apache, and MIT).

Scans vs. Forensic Studies

On average, deeper forensic analysis finds double the number of issues found in an overview. Forensic audits are ideal when extra caution is justified up front or when circumstances suggest that normal signs of third-party use (such as copyrights or license text) may have been removed. Forensic analysis includes extensive use of source code fingerprint analysis to identify and explain the origin, i.e. partial matches, such as cut-and-paste by developers.

The more I’ve worked in open source, the greater my appreciation for it has grown. People talk about the Fourth Industrial Revolution and rapid increases in the speed of innovation. I think open source software is a driving force behind it all. We just need to manage it correctly.