<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Three key facts to consider when developing with open source in a post-Log4Shell world

Amy Hays
by Amy Hays
on March 29, 2022

Updated on April 21, 2022

Don't miss the latest from Tidelift

A few weeks ago, Tidelift CEO and co-founder Donald Fischer sat down with guest speaker Sandy Carielli from Forrester to chat about Log4Shell, open source maintenance, and why software bills of materials, or SBOMs, are critical now.

You can watch the whole webinar on demand—and you should, because it was a fascinating discussion. 

Watch Now

Check out these 3 key takeaways:

#1: Dev teams are releasing applications faster than ever—and need open source libraries to do so.

In Sandy's presentation, she shared that 42% of organizations reported in 2021 that they release applications monthly or more frequently—that’s in contrast to 2018, when only 27% of organizations released apps that frequently. 

One way dev teams are moving faster? By employing more open source components. Sandy reported that 99% of audited codebases contain open source components. When we did our own survey in 2018, we reported 92% of applications contain open source. 

But either statistic is staggering—and a testament to the many benefits of developing with open source.

#2: Risk management has not kept pace with OSS usage.

If you asked the average dev team how many open source components are critical to their applications, many might say very few. But the real question is: how do you define critical?

Most likely, before the Log4Shell vulnerability in the ubiquitous Java logging tool—log4j—was reported in December 2021, would organizations have described log4j as critical? Yet when we worked with Tidelift customers to help them navigate the fallout of Log4Shell, we discovered every single one of them used log4j in some capacity. Turns out it is a critical component.

#3: Software bills of materials can help keep your code healthy.

In the webinar, Sandy offers a few tips for organizations to help them move fast and stay safe. Step one? Know what’s in your code. The best way to do that? Maintain software bills of materials for all your applications. This need for SBOMs is even more important in the wake of government action, like the White House cybersecurity executive order 14028 released almost a year ago, requiring all organizations working with the government to generate SBOMs.

(By the way, the Tidelift Subscription can help you generate an SBOM.)

Watch the webinar now. 
New Call-to-action

Forrester, software supply chain, Apache Log4j2 <=2.14.1, log4j, Log4j vulnerability

You might also like:

Forrester, software supply chain, Apache Log4j2 <=2.14.1, log4j, Log4j vulnerability

Paying it forward: How paying maintainers improves the software supply chain for everyone

Forrester, software supply chain, Apache Log4j2 <=2.14.1, log4j, Log4j vulnerability

You're invited:  Log4Shell, open source maintenance, and why SBOMs are critical now