Securosis Dives Deep into our 2014 Survey

July 02, 2014 By Derek Weeks

3 minute read time

True State of Open Source SecurityThere are two ways to motivate others to action: emotional appeal and fact based analysis. Our 2014 Open Source and Application Security survey results touched on both. We've run this survey for the past four years, but this time we decided to reveal the results in a new way.

Rather than let our marketing team "spin" the results, we wanted to provide you a completely independent perspective focused on both open source development and application security. Adrian Lane, CTO and Security Analyst, at Securosis jumped at the chance. We provided him the raw survey results data and he agreed to write the analysis. We did not ask or direct him on what to write; in fact, Securosis' Totally Transparent Research methodology does not allow companies like Sonatype to influence their research.

Adrian's 3-part blog series serves as the introduction to their more detailed independent research brief which will be published in the coming weeks. If you like our decision to go with the independent analysis, please let us know...and we can repeat the same approach for next year's results. We also invite you to leave comments for Adrian on the Securosis blog, as to his interpretation of the survey results. We believe you will find his blog series enlightening.

Part 1: Open Source Development and Application Security Analysis [New Series]

Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, something I have participated in the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I’m just one developer voice among thousands. But I have also benefited from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on these shared data points. Crazy, I know, but it’s another way to leverage the community.But I am equally interested in the survey questions asked, as they hint at what the sponsors are most interested in learning about their community....Read more.

Part 2: Open Source Development Analysis: Application Security

Continuing our analysis of the 2014 Open Source Development and Application Security Survey, we can now discuss results as the final version has just been released. Today’s post focuses on application security related facets of the data. Several questions in the survey focused on security practices within open source development, including vulnerability tracking and who is responsibility for security. I will dive into the results in detail, sharing my perspective on where things are getting better, which results surprised me, and where I believe improvements and attention are still needed. Here we go…read more.

Part 3: Open Source Development Analysis: Development Trends

For the final installment of our analysis of the 2014 Open Source Development and Application Security Survey, we will focus on open source development trends. Our topic is less security per se, and more how developers use open source, how it is managed, and how it is perceived in the enterprise. An unambiguous question in the survey asked, “Do you believe software assembled with open source is as secure as commercial off-the-shelf (COTS)?” Under 9% said that software assembled with open source is less secure, with over 35% stating they believed open source is more secure than COTS...read more.

Tags: Cyber Supply Chain Management and Transparency Act, H.R. 5793, government open source software (GOSS), Sonatype Says, open source survey, open source components, open source security, Cyber Chain Integrity Act, application supply chain management, Everything Open Source, Wayne Jackson, analyst report, josh corman, securosis, open source software supply chain, Cyber Supply Chain, Application Security, bill of materials (of 3rd party and open source co, cyber supply chain management, Software supply chain management, open source development

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.