The good news is that open-source software is used in the vast majority, 78 percent, of businesses. The bad news is that far less do even a half-way decent job of managing it.
Black Duck Software, the open-source software (OSS) logistics and legal solutions provider, and North Bridge, a seed-to-growth venture capital firm, have announced the results of the ninth annual Future of Open Source Survey. They found that the enterprise is adopting open source like crazy, but they're not managing it worth a darn.
Lou Shipley, Black Duck's CEO, said in a statement, "In the results this year, it has become more evident that companies need their management and governance of open source to catch up to their usage. This is critical to reducing potential security, legal, and operational risks while allowing companies to reap the full benefits OSS provides."
Why did he say this even as corporate open source adoption and participation across industries, and companies of all sizes, has reached an all-time high? If we look at the survey results from C-level executives and high-level IT staffers, it all becomes clear.
- 78 percent of respondents said their companies run part or all of its operations on OSS and 66 percent said their company creates software for customers built on open source. This statistic has nearly doubled since 2010, when 42 percent of respondents in the Future of Open Source survey five years ago said that they used open source in the running of their business or their IT environments. This is an all-time high.
- 93 percent said their organization's use of open source increased or remained the same in the past year.
- 64 percent of companies currently participate in open source projects - up from 50 percent in 2014. Over the next 2-3 years, 88 percent are expected to increase contributions to open source projects.
- Open source has become the default approach for software with more than 66 percent of respondents saying they consider OSS before other options.
Why are companies doing this? The survey said:
- 55 percent believe open source delivers superior security when lined up against proprietary solutions. The superior security of open source is also expected to rise to 61 percent over the next 2-3 years.
- 58 percent think open source scales better and 43 percent said OSS provides superior ease of deployment over proprietary software.
- When evaluating security technologies for internal use, 45 percent of respondents said open source options are given first consideration.
Looking ahead, those who took the survey saw cloud computing (39 percent), big data (35 percent), operating systems (33 percent), and the Internet of Things (31 percent) being impacted by OSS in the next 2-3 years.
These numbers strike me as low. For example, except for Microsoft and VMware's cloud offerings, everything else in the cloud is OSS. Indeed, Microsoft has embraced open-source in its Azure cloud with Docker and VMware has its own OpenStack cloud. The cloud will be OSS. And, to the best of my knowledge, there are no significant OSS Big Data programs.
Before we get too excited about proclaiming OSS has won and the wicked witch of proprietary software is dead, we must take into account that companies still lack OSS formal management policies. The survey also found:
- More than 55 percent of respondents said their company has no formal policy or procedure for open-source use. Moreover, only 27 percent have a formal policy for employee contributions to OSS projects.
- A mere 16 percent have an automated code approval process and less than 42 percent maintain an inventory of open source components.
- More than 50 percent are not satisfied with their ability to understand known security vulnerabilities in open-source components, and only 17 percent plan to monitor open source code for security vulnerabilities.
All that is worrisome, but it's the last one that I find the most troubling. Companies are clearly indulging in magical thinking if they believe that OSS is free of security problems. It's that kind of blind-belief in OSS that led to the OpenSSL Heartbleed security fiasco.
Yes, it's great that OSS is becoming the enterprise's favorite kind of software. It's nice to know that businesses have finally seen the value in the open-source software development model I saw decades ago, but OSS is like any other tool. If you use it badly, it will end up hurting you.