News

Security-Conscious Open Source Devs Now Wrestle with Government Requirements

• By David Ramel
• 07/13/2022

Technologists using open source software, long plagued by security concerns, are now facing a new challenge: meeting government requirements enacted to mitigate those concerns.

That's a key takeaway from the new survey-based "2022 Open Source Software Supply Chain Survey Report" from Tidelift, which specializes in managing open source software supply chain health and security. Respondents included software developers, engineering executives and managers, architects, and devops pros.

"Security is open source developers' most urgent challenge, while complying with government requirements is an emerging concern," the report said.

In this year's edition of the report series, the company for the first time asked respondents if complying with government regulations was a challenge, following executive orders and other actions designed to improve cybersecurity in federal agencies and associated organizations. One such action was the May 12, 2021, Executive Order on Improving the Nation's Cybersecurity.

As Virtualization & Cloud Review reported in the recent article "Agencies Advance on Biden's 2021 Zero Trust Order," it stipulated that by the end of fiscal year 2024:

The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.

The Biden administration has continued to be proactive on the cybersecurity front, as we reported in the recent article, "Biden Signs Metrics Bill to Combat Cybercrime into Law."

So, Tidelift wondered if such actions were becoming a burden to organizations -- were they in fact being challenged by directives to address cybersecurity challenges.

The answer was yes -- resoundingly so among larger organizations.

"Almost half of the largest organizations with more than 10,000 employees are challenged by complying with government requirements (48 percent), with 13 percent naming it the most urgent challenge (almost four times more commonly cited than in smaller organizations)," the report said.

A follow-up question asked respondents to select the most urgent challenge among those they had identified, finding, as usual, security was the most urgent challenge. However, "complying with government regulations" wasn't far behind.

Another chart shows that the new requirements burden -- even though reported being a challenge by 48 percent of respondents -- was far down a long list of such open source development challenges, which also include licensing issues and lengthy or confusing processes for requesting to use new open source components.

Perhaps surprisingly, though, the survey also found only 37 percent of organizations were even aware of the White House executive order on cybersecurity.

That ignorance is likely to lessen, however, as the report's findings jived with others that have pointed out the increasing burden of regulations and requirements facing organizations today. For example, we recently reported on such a survey -- focusing on cloud-native tech like containers -- from Tigera (see "Compliance Requirements Reportedly Slow Cloud-Native, Container Initiatives").

"We are pleased to see that many companies are focusing development on cloud-native applications; however, the report highlights that with cloud-native adoption comes a slew of new requirements and challenges that are driving delays," said the "State of Cloud Native Security" report from Tigera.

Meanwhile, in the new Tidelift report, other highlights beyond regulations/requirements challenges include:

• Only 15 percent of organizations are extremely confident in their open source management practices; the majority have concerns
• Of the top three open source languages, Python earns highest confidence ratings
• Getting approval to use new open source components in large organizations is often slow and tedious
• The best practice of centrally managing a repository of approved open source components is growing rapidly
• 78 percent of organizations are already using SBOMs [software bills of materials] for application development or have plans to in the next year

This fourth annual report in the series from Tidelift polled 696 technologists who were contacted in December 2021 via the company's email lists and social media and vetted to be employed and using open source to build applications at work.