Once again, you’ve helped us make this year’s annual survey the largest of it’s kind. 3500 of you participated in the latest survey of developers using open source. Your enthusiasm accurately represents the use of open source software in the survey findings:
- An overwhelming 86 percent of you stated that your applications are at least 80 percent open source with the remaining 20 percent custom components and code.
Organizations are reacting to this trend by providing development infrastructure that is designed to leverage open source components and frameworks (e.g., Maven, Hudson/Jenkins, Eclipse, Git, Nexus, etc.):
- 53% noted that they are standardizing on an open source development infrastructure stack.
But given the explosive growth in component usage – 8 billion downloads from the Sonatype Central Repository in 2012 represents an 800% increase in activity since its inception – it comes as no surprise that organizations are struggling to keep up:
- 76% of large organizations have no control over what components are being used in software development projects
- 65% don’t maintain an inventory of components used in production applications.
And since development is under extreme pressure to deliver applications fast while budgets are being cut, it’s also not surprising to see security taking a back seat:
- More than half of large organizations shared that developers don’t focus on security at all.
The good news is that Nexus users have a natural path to address these shortcomings – a strategy that we call Component Lifecycle Management. And we will soon launch a community relating to Good Component Practice.
But, lets’ get back to the survey.
The survey results are also available in pdf format here.
Let us know what you think about the results. What did you find surprising? What actions will you take?
And check back with us to continue the dialogue and to learn more about best practice approaches for managing your components.
Gartner recently published research about the enterprise IT supply chain and impending threats that should encourage organizations to act. An overview of the research is available on Help Net Security: “Enterprise IT supply chains will be compromised”. The title sounds ominous, but it’s a good read that advises organizations to take a holistic approach to protecting the IT supply chain. We were happy to see that Neil MacDonald and Ray Valdes from Gartner cite research that Sonatype did with Aspect Security; research on open source software (OSS) downloads and how component vulnerability can impact the health of the IT supply chain.
Gartner’s take is in line with how Sonatype sees the world. In the remainder of this post we’ll address aspects that are particularly interesting and offer initial considerations about how to optimize the IT supply chain.
The New Reality
- IT Supply Chain = Complexity: The IT supply chain is highly complicated. Consider these words or phrases: distributed, complex, component based, internally & externally sourced, combination of hardware & software. And think about the job responsibilities necessary to effectively manage an IT supply chain. The number of roles necessary to gather requirements, design, develop, test, deploy, monitor, maintain software and it’s related infrastructure is indicative of the IT supply chain complexity. As far as trust goes, complexity increases the likelihood of application issues and the number of threat vectors that can be manipulated to hinder the IT supply chain. Continue reading
Luke Kanies, the creator of Puppet, commented in his last entry about Open Source business models, specifically the idea of an Open Core and what that means. As an Open Source company do you have an open version of your product that’s crippled? Or do you an open version of your product that is truly useful? This was the crux of the questions I asked all the Sonatype CEO candidates, and this turned out to be the reason it took me almost 8 months interviewing 17 candidates to ferret out the right person. It was a grueling process finding Mark de Visser but I was adamant and our VCs, Hummer Winblad & Morgenthaler, were very patient and let me take my time to find the exact right match. I got pretty ornery at one point &emdash; I thought I would never find the right person in Silly Valley.
I want to share with you what Sonatype is planning to do with Hudson – I hope you will be interested. We are planning a lot of work on the OSS side and will contribute that all back (provided the license of Hudson does not change to the CDDL). We are also planning to work on a commercially supported version of Hudson and we will create some additional commercial plugins. I think people here will be most interested in the OSS work so I’ll start there.
It all starts with the work we’ve done with Tom Huybrechts over the last few months to embed Plexus inside Hudson. This has several implications, especially for those who are interested in Maven integration. Tom made the PluginManager itself pluggable and the Plexus version of the PluginManager that was created finds Plexus components in its standard way. As a result plugins now work the same way in Hudson, Maven and Nexus.
Bechtolsheim helped turn Sun, Granite, Google, VMWare and now Arista into some of the most successful startups ever. You could pick worse role models than Andreas von Bechtolsheim, when it comes to starting a company.