News

Once a Security Problem, Open Source Now a Solution, Report Says

• By David Ramel
• 03/04/2022

Red Hat was surprised by this finding from its new report on open source software in the enterprise: It's now seen as a benefit, when it was a big security problem not that long ago.

"It takes a lot to surprise us. Yet, every year that we run this survey there are usually one or two results that we didn't really expect," the company said in a March 2, blog post announcing The State of Enterprise Open Source 2022 report.

"This year, 89 percent of IT leaders said enterprise open source is at least as secure as proprietary software. This is a big change from not all that long ago. It used to be that quite a few potential buyers figured that being able to see the source code inherently decreased code security in the same manner as being able to see the schematics of a physical security system."

Indeed, it wasn't that long ago that we were writing articles like:

• Open Source Security Audit 'Should Be a Wake-Up Call'
• Study: Open Source Software Contributes to Mobile App Vulnerabilities
• Study Links Flawed Online Tutorials with Vulnerable Open Source Software

While those were written four or five years ago, more recent articles reveal an improving situation, but still a mixed bag on the open source security front:

• App Security Report: Open Source Code Still 'Blessing and a Curse'
• Cloud Computing and Open Source: It's Complicated

Red Hat said the more positive views on the security of open source software wasn't a total surprise overall, as it was also reflected in previous surveys, but the company was surprised by the reasoning behind the positive views, which used to be along the lines of: Many eyes being on the software make it more secure.

"But 'many eyes' is now a ways down the list of reasons of why security is a benefit of enterprise open source," Red Hat's blog said. "Respondents also indicated the ability to audit the code themselves was even less important.

"Instead, 55 percent said the top reason is that their teams 'can use well-tested open source code for our in-house applications.' Furthermore, in spite of the attention that software supply chain security is starting to receive, IT leaders still say that the ability to use enterprise open source internally -- as most companies doing application development do -- is still a big net benefit."

Paradoxically, however, "concerns about inherent security of code" was one of the top perceived barriers to using enterprise open source, tied for third place:

Then again, "better security" is listed as the top benefit of using enterprise open source:

All of the above perhaps indicates IT pros' views on the security implications of using open source software are still a bit of a mixed bag, but improving overall.

Other data highlights of the report include:

• 82 percent of IT leaders are more likely to select a vendor who contributes to the open source community.
• 80 percent of IT leaders expect to increase their use of enterprise open source software for emerging technologies.
• 77 percent of IT leaders have a more positive perception of enterprise open source than they did a year ago.
• 70 percent of IT leaders work for organizations that use Kubernetes.

The report -- the fourth in the series -- is based on 1,296 interviews with global IT leaders conducted last year, with full methodology listed in the report PDF.