All open source components are not created equal

By Marilyn de Villiers
Johannesburg, 03 Aug 2017

Imagine if you could improve the quality of your applications and cut development cost at the same time?

It is possible, if you can manage the quality of the open source components used by their developers.

This is according to the third annual State of the Software Supply Chain Report published by US-based software supply chain automation specialist, Sonatype.

Organisations that actively manage the quality of the open source components flowing into their production applications realise a 28% improvement in developer productivity, 30% reduction in overall development costs and 48% increase in application quality.

Wayne Jackson, CEO of Sonatype,said companies were no longer building software applications from scratch, but were manufacturing them as fast as they could, using an infinite supply of open source component parts. Today's average application contains over 190 open source components.

Sonatype's research revealed open source hygiene was inconsistent and dynamic across supplier projects and individual components.

Blindly trusting the quality of open source parts flowing into development lifecycles introduced significant risk for organisations.

"However, many organisations continue to rely on manual and time-consuming governance and security practices. Our research shows that development teams managing trusted software supply chains are dramatically improving quality and productivity," Jackson added.

Today's average application contains over 190 open source components.

Wayne Jackson, Sonatype

The Sonatype report, which highlights the risks lurking within open source software (OSS) components, supports Gartner's contention that by 2020, 50% of organisations will have suffered damage because they fail to manage trust in their or their partners' software development life cycles.

Gartner's May 2017 report "Managing Digital Trust in the Software Development Life Cycle" states this negligence would cause revenue loss of more than 15%. "Application leaders responsible for modernising application development should re-evaluate the SDLC in the form of a trusted software supply chain, with varied levels of trust."

Benefits quantified

The Sonatype report also quantified the benefits of actively managing software supply chain hygiene. Its analysis of more than 17 000 applications revealed applications builtby teams utilising automated governance tools reduced the percentage of defective components by 63%.

Conversely, organisations that didn't manage software supply chains were unwittingly releasing vulnerable applications into production, resulting in their wasting thousands of hours on rework and bug fixes.

The report also noted that even when vulnerabilities were known, only 15.8% of suppliers actively fixed vulnerabilities - and then took an average of 233 days to do so - while 84% did nothing to remediate known security defects.

And when defective open source components were permitted to pass downstream within a software supply chain, three things happened: vulnerabilities increased, quality degraded and the pace of innovation dramatically decreased.

Sonatype's advice to organisations - faced with an almost infinite supply of open source components - is to take cognisance of the following facts:

* Components are not created equal;

* Production applications use components of varying ages and quality;

* Younger components are three times healthier than older components; and

* The onus is on an organisation to actively govern which OSS projects it works with, and which components it ultimately consumes.