A recap of the main conclusions from our extensive open source usage survey

Main reasons for failing to manage open source effectively

As mentioned in our webinar on the practices of Open Source Software (OSS) usage in software development organizations, we discovered that most organizations (74%) want to manage their open source usage but fail to do so in an effective way.

The reasons for this failure are varied and many are connected to the tools and procedures applied.

  • Most companies (53%) do not have an up-to-date inventory of open source of all the open source libraries they use.
  • Most companies do not have a clear policy with regard to open source licenses (75% of surveyed companies), do not have a process for knowing about security vulnerabilities  (74% of them), and update/patches are left to the responsibility of individual developers.
  • Most companies (81%) lack management visibility and consistent governance and leave this area to individual developers / low-level development teams which results in inconsistent treatment, license incompliance, risk to intellectual property and defects and security vulnerabilities.

We can see that these efforts are largely ineffective, resulting in unnecessary risk, too much work and undue hidden costs with the main outcome of this being that most companies’ usage is completely out of control, for they severely undermanage their open source usage.

New technologies such as WhiteSource make it easy to continuously track open source usage, and automatically enforce licensing and security policies. WhiteSource plugs into the build server and becomes a native part of the software development lifecycle without burdening developers. Newly adopted open source modules are discovered as soon as they are added by developers. Their licenses (and those of all of their dependencies) are automatically compared to the company licensing policies, initiating the appropriate approve/reject workflow if necessary. WhiteSource continues to track each open source in use, and will proactively notify each project manager in case of new vulnerabilities or patches.