On October 13th, Tidelift’s senior product marketing lead, Kanish Sharma, sat down with guest speaker Jim Mercer, IDC Research vice president, to discuss how organizations can and should strategically work with open source software, how to mitigate risk when working with open source, and how to work alongside the open source community.
Jim kicked off the webinar by sharing results from an IDC DevSecOps survey earlier this year. When asked “What do you consider your two biggest DevSecOps tooling gaps or exposures”, 33% of respondents reported the “inability to quickly patch high impact security vulnerabilities (i.e., Log4Shell).” And 24% followed that response with, “too many different security scanning tools and results.” These results, alongside other key points of data shown throughout Jim’s presentation, emphasize the need for better approaches to open source software management that can help companies decipher open source unknowns and as a result, decrease risk.
Jim then dove into the challenges of evaluating the health of an open source project. There are a litany of different projects, and rarely common standards for building, maintaining, and securing them. As we at Tidelift work hard to highlight, many open source software projects are underfunded or rely solely on volunteer contributors. There are also legalities to navigate with open source licenses that can make managing open source problematic.
Some of the other areas of importance that Jim covered include:
- Software bill of materials (SBOMs) and transitive dependencies
- Government regulations and standards
- Emerging industry standards
Before the Q&A with those in attendance, Jim proposed several solutions to improving an organization’s open source management strategy such as establishing an Open Source Program Office (OSPO), curating an open source repository, the importance of making an effort to engage with the open source community — which includes paying the maintainers—and more.
To learn more about IDC’s recommendations for improving your organization’s approach to managing open source, use this link to watch the webinar now.