In June of 2020, Tidelift fielded our annual managed open source survey of technologists who use open source to build applications at work. Over 600 people shared how they use open source software today, what holds them back, and what tools and strategies would help them use it even more effectively.
In this post, we share the fourth of nine key findings. If you don’t wait to wait for the rest of the results, you can download the full survey report right now at the link below.
As part of this year’s study, we wanted to understand how confident technologists are about whether their open source components are secure, up-to-date, and well maintained.
Looking at the entire survey sample, a majority of respondents describe themselves as somewhat confident (58%). Almost one-quarter of respondents (24%) describe themselves as not very or not at all confident. And only 18% describe themselves as extremely confident.
There are two ways to view these high-level findings. On one hand, you could look at this data as proof that many organizations are at least somewhat confident that their open source components are up-to-date, secure, well maintained, with three-fourths of respondents (76%) describing themselves as somewhat or extremely confident.
On the other hand, you might look at the fact that only 18% are extremely confident as a fairly disturbing finding. Is it good enough to be “somewhat confident” in the health of your organization’s open source dependencies? Or could any one of these 82% less confident or not confident organizations become the next Equifax?
The data gets even more bleak once we split out the largest organizations of over 10,000 employees. Notably, only 61% are confident that their open source components are up-to-date, secure, and properly maintained (compared to 76% for the full sample).
And even more interesting, confidence in an organization’s open source practices declines as the size of the organization grows. Meaning, the smallest organizations are the most confident while the largest organizations are the least confident.
On the surface, this might appear to be a counterintuitive result. Shouldn’t the largest organizations—those with the most resources at their disposal to fix open source-related issues—be the most confident? And conversely, shouldn’t those organizations with the least resources be the least confident?
Our theory is that the largest organizations are the least confident for two key reasons:
- Awareness of open source-related risk is higher at larger companies. Many larger organizations have entire departments related to security, risk, and compliance. Some of them even have open source program offices (OSPOs) solely dedicated to open source-related policies. This consequently creates heightened awareness of potential problems.
- The consequences of taking open source-related risks are higher in large organizations. In a multi-billion dollar business storing immense troves of customer data or processing financial transactions at scale, one security issue caused by a poorly maintained open source dependency can cause irreparable harm (again, case in point, Equifax). So larger organizations may set a higher bar for how they measure their comfort with the security and health of their open source dependencies.
To put these findings in another light, imagine if you asked technologists this very same question for any proprietary software product they buy today. If only 18% of respondents said they were extremely confident that this product was up-to-date, secure, and well maintained, how successful do you think that product would be?
When it comes to the open source building blocks at the heart of our organizations’ applications, we should expect no less. We need to ensure that more organizations are extremely confident in the health and security of these critical open source components.
Want the full survey results in one report? Get them here now.
Read more about how we conducted the survey, see the survey demographics, and learn why we call it the managed open source survey.