Channels ▼

Open Source

Open Source Usage Up As Controls and Processes Fail

Sonatype has gone public with the findings of its annual Open Source Development Survey. The study claims to be the "largest of its kind" surveying (as it does) more than 3,500 developers, architects and IT managers currently using open source.

More Insights

White Papers

More >>


More >>


More >>

Key findings "suggest" that much of software today is now assembled from open source components and frameworks downloaded from repositories (at least 80% of the app). But the investigation also proposes that few organizations have the controls or processes to identify which components are in use, to govern their usage, or to eradicate flawed components from production applications.

An overwhelming majority (76 percent of respondents) shared that they have no control over what components are being used in software development projects, and 65% cited a failure to maintain an inventory of components used in production applications.

The firm points out that just like operating systems and databases, open-source components represent a "potentially rich attack vector" for hackers to exploit given their commonality across organizations and applications. So much so that for the first time the Open Web Application Security Project (OWASP) Top Ten list includes "using components with known vulnerabilities" as a top threat to application security at #9.

No surprise then that Sonatype is ready to spin these "findings" out as a prelude to the introduction of tools to service a new software supply chain with a new approach to application security. Or to put it in the firm's own words, "[We need a software chain that is] developer friendly and continuous to keep pace with Agile practices and address ongoing threats in real-time. Sonatype announces today the launch of Sonatype CLM, the first and only solution to secure the entire component lifecycle and the first comprehensive solution that directly addresses OWASP A9."

Related Reading

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.