This comprehensive study of nearly 700 technologists, now in its fourth year, explored the most urgent challenges development teams face when building applications with open source. It also reveals new insights into how confident technologists are in their organizations’ current open source management practices, and in the open source components and languages they use more generally.
Further it highlights how organizations are employing emerging open source management best practices, including the use of software bills of materials (SBOMs) and repositories of approved open source components.
“Open source is now the de facto standard application development platform and is a proven driver of business success and innovation. Yet as its popularity grows, the challenge of helping development teams manage open source health and security becomes exponentially more difficult,” said Donald Fischer, CEO, Tidelift. “This year’s survey data demonstrates that organizations are beginning to better understand both the challenges stopping them from gaining full benefit from open source and the management best practices that will help them overcome those challenges.”
The state of open source software supply chain management
Security is technologists’ most urgent challenge, while complying with government requirements is a rising concern for large organizations.
- Security is the most urgent challenge (30%)—and the larger the organization, the more likely it is to be the most urgent (35% of the largest organizations named security the most urgent challenge).
- 48% of the largest organizations with more than 10,000 employees are challenged by complying with government requirements, with 13% naming it the most urgent challenge (almost four times more than in smaller organizations).
- The largest organizations are struggling across the board with issues related to managing open source. Every challenge identified was cited by nearly half or more respondents.
Only 15% of organizations are extremely confident in their open source management practices; the majority have some concerns about keeping open source up-to-date, secure, and well-maintained.
- 62% of respondents are somewhat confident, while 22% are not very or not at all confident.
- Organizations currently using software bills of materials (SBOMs) are generally more confident in their open source management practices than those not using them.
Getting approval to use new open source components in large organizations is often slow and tedious.
- 61% of organizations have some sort of approval process for introducing new open source components. The remaining 39% of organizations have either no process or an informal process that does not require authorization.
- In the largest organizations, 78% require some sort of authorization process for introducing new open source components while only 8% have no approval process at all.
- Approval takes longer in the largest organizations, with 56% of organizations over 10,000 employees reporting approval takes a week or more.
Only 37% of organizations are aware of new government software supply chain security requirements around security and SBOMs.
- 37% of organizations are aware of the White House executive order on cybersecurity and the responsibilities it places on organizations selling to the government.
- 42% of these respondents believe current software supply chain security incidents like SolarWinds have had a large or extremely large impact on how their organization approaches application security.
Many organizations are already using or piloting the best practice of building centralized repositories of approved open source components.
- 65% of organizations are already using or actively piloting centralized repositories of approved open source components.
- This percentage rises to 75% for the largest organizations over 10,000 employees.