Although many companies are heavily reliant on open source software (OSS) as they seek to accelerate their digital efforts, a new report from VMware Tanzu suggests IT leaders are also conscious of the inherent risks.
Based on a poll of executives, team managers and open source contributors, the report states that 95% of companies use OSS in production, with larger enterprises (1,000+ employees) the most likely to use community open source.
They see many benefits to OSS in production, including reduced costs, more flexibility, a large community that acts as support, as well as improved developer productivity.
However, they are also wary of the numerous cybersecurity risks associated with using open source software. For example, using OSS means companies need to rely on the community to fix bugs and patch vulnerabilities. Most respondents (63%) also concede there are no guarantees vulnerabilities will be remedied or patched, while 54% said it was difficult to keep up to date on vulnerabilities in OSS software.
Too many cooks
Further, respondents cited problems with packaging OSS for production, as well as questions of ownership. Many find it challenging to check if dependencies are compliant, while some struggle tracking dependencies installed by package managers.
For packaging, one in ten organizations use no tools whatsoever, while two-thirds use multiple tools, which only adds further complexity to the process. And while the majority (65%) have at least one team responsible for packaging OSS, some have as many as five teams.
In most firms, the security team is not ultimately responsible for validating and approving the security of OSS in production, while in a tenth of organizations there is no single owner.
As if the situation wasn’t complicated enough, more than half (54%) use different security tools for OSS than they do for other software.
