It's certainly a busy time for open source component usage. Many of you are familiar with research that we have done that shows the average application now consists of 90% open source components. And we continue to see exponential growth in requests from the Central Repository. In fact, there were 8 Billion requests in 2012 - and it is looking like this year will total up to 13 Billion requests.
Given these trends, the time seemed right for a series of blog posts that address recent activity in the area of open source governance and security. I’ll cover:
- Impressions from the AppSecUSA Conference
- The latest changes to OWASP and PCI specifications
- Financial Services / Information Sharing and Analysis Center Working Group (FS-ISAC)
Let's tee those topics up with a recap of a discussion that we just had with Mark Driver, Research VP from Gartner. Mark is well-known in the open source and application development space and we had a brief chat with him about the open source landscape.
Mark recently published research that addresses the state of the nation of open source software. These quotes represent the opportunity and the challenge of using open source from that research:
- “Thousands of OSS solutions are a mouse click away from any employee with an Internet connection; consequently, many OSS assets are invisible to IT management, but are heavily leveraged in many enterprises in numerous scenarios.”
- “Toward this end, OSS requires IT organizations to develop best practices and policies for IT asset management, development, deployment and support.”
In our conversation with Mark, we discussed the following topics:
- In general, there is greater awareness about the role that open source components and frameworks play in application portfolios. While this awareness has driven the implementation of policies, policies often prove ineffective. While only 25% don't have a policy, 75% of the policies are ineffective. Worse yet, the policies can provide the illusion of safety, which is even more dangerous.
- Cost savings, flexibility and innovation continue to drive the use of open source adoption. Organizations now are especially motivated to cut cost, they are trying to determine if open source can be an effective cost lever.
- Open source licensing ramifications are becoming more important as mainstream organizations adopt open source. These organizations tend to be more conservative, so they want to carefully manage the risk associated with open source licenses.
- Organizations that successfully manage open source usage are inclusive and collaborative. They tend to have top-down support and sponsorship, they have participation from IT and the business, they start small and grow organically, they don't focus solely on identification, and they can effectively demonstrate how their efforts reduce risk and increase open source usage.
These observations mirror what we are hearing from our Nexus and CLM community – including results from our most recent survey.
How do these observations track with your experience? What else do you see happening in the world of open source components?
To learn why Sonatype is a preferred application security vendor for financial organizations visit http://www.sonatype.com/spotlight/fs-isac