As companies increasingly integrate Open Source Software (OSS) into their business IT environments, they appear to be faltering in monitoring the software for vulnerabilities and creating official policies and procedures, a recent study found.
Findings from the “2015: The Future of Open Source” report, released by Black Duck and venture capital firm North Bridge, indicated that 78 percent of companies run on open source and less than three percent don't use OSS in any capacity. Moreover, 64 percent of respondents said their companies currently participate in open source projects.
The survey was conducted among 1,300 respondents, mainly at technology companies. The respondents primarily worked as software engineers or developers.
Even with the majority of companies using OSS, 67 percent reported not monitoring open source code for security vulnerabilities. Plus, only 27 percent reported having a formal policy for employee contributions to OSS project. Sixteen percent have an automated code approval process.
For Bill Weinberg, senior director, Open Source Strategy at Black Duck Software, this represents security professionals either putting their faith in OSS' security or being unsure of how to go about implementing a monitoring routine.
During an interview with SCMagazine.com he reminded that OSS is just as vulnerable as any other software.
“Vulnerabilities exist due to programming bugs,” he said. “All the same things that allow blackhats to assault proprietary software [can impact open source software, too]”
He went on to stress that even companies with proprietary software should consider OSS and monitoring its vulnerabilities, especially when knowing that most software pulls from some sort of OSS.
“You can't even talk about proprietary versus open source and have it be a meaningful conversation,” Weinberg said.
Looking ahead, 57 percent of respondents anticipate an increased quality of OSS in the next two to three years, and 59 percent believe it will be easier to deploy.