Open-source components are the building blocks of the modern software supply chain, and why not? They have been shown to lower costs, improve quality, advance innovation and speed software development processes. Because of these benefits, open-source use and component consumption has some analysts and industry luminaries saying we have reached a strategic tipping point with companies increasingly focused on using open source software for competitive rather than cost reasons. In fact, it has been reported that up to 80 percent (Sonatype Inc., Sonatype Open Source Development Survey, USA, March 2012) of custom software code created today is actually assembled from open-source components.
Upon closer examination however, we see a software supply chain that lacks visibility and control and carries with it some glaring risks. While the industry has been quick to embrace open source for its rapid innovation and its undisputed acquisition cost benefits, it has largely ignored a fundamental problem: there is no update notification infrastructure for open-source components. To envision the implications, consider if your Windows or Mac desktop had no automated software update: How would you know when a critical security vulnerability had been discovered or a performance bug had been fixed? With tens of thousands of projects, and components being updated an average of 4 times per year, most enterprises cannot keep up.
In my recent Journal article, I provide a deep examination of the unmanaged open-source component usage problem, how routine governance practices have fallen short and the impact these failings have had on organizations. My hope is that IT professionals and enterprise leaders, including chief information officers, risk management officers, security and compliance executives, will walk away with a better understanding of the issues at play and how to proactively mitigate the risk of open source across the application development life cycle—ultimately building better software faster.
Read Charles Gold’s recent Journal article:
“Mitigating the Risk of OSS-based Development,” ISACA Journal, volume 2, 2012