Getting Open Source Under Control
Open source management has improved, but there's still a long way to go.
The good news is that IT organizations that are stitching together open source components to build applications are getting better at both securing them and tracking when and where they are being used. The bad news is that because more of them are making use of open source code, many of them are discovering that they have a lot more potential security and compliance issues than anybody realized.
A recent survey of 2,550 IT professionals conducted by Sonatype, a provider of repository software for managing software components, found that IT organizations on the whole are more conscious of the potential security issues associated with open source software.
The real challenge now, says Charles Gold, chief marketing officer for Sonatype, is putting in place a set of processes that track updates to all those open source components. In the absence of any automated notification system, most companies are depending on developers to make them aware of when updates are made to critical open source components. Of course, Gold notes that will only be effective when the organization actually has a bill of materials that tracks what open source components were used in what applications.
As the economy got tougher, many IT organizations started throwing more internal IT labor at projects. Many of those people routinely use open source components to build custom applications. But very few of those applications are well documented. The end result is a lot of short-term gain in productivity that could lead to IT management nightmares later on should it be discovered that some piece of critical code being widely used in multiple applications has a major security flaw.
Gold says the best thing that IT organizations can do to resolve this issue is start building repositories that keep track of which developer used what piece of approved open source code when and for what application. Further down the road Gold is hopeful we'll soon see more automated notification systems for the majority of open source projects, but at the moment the task falls to the internal IT organization.
In the meantime, no one is suggesting that IT organizations reduce their dependency on open source code. But IT organizations should be concerned about the processes they have in place to manage the use of open source code.