News

OSS Fulfills Promise, but Orgs Worry About Management, Support and Trust, Says Report

• By David Ramel
• 10/21/2022

Open source software in the enterprise has basically fulfilled its promise, a new report says, but its usage might be curtailed by worries about management, support and trust.

Those are conclusions from VMware's new report titled "The State of the Software Supply Chain: Open Source Edition 2022," which looks at key trends associated with using open source solutions in software supply chains -- with a focus on source software (OSS) -- along with associated risks and concerns.

"Companies continue to choose open source software for reasons such as cost efficiency (75 percent), flexibility (57 percent) and community support (54 percent), and this year's survey finds that OSS is fulfilling those expectations," the report said. "However, the past year hasn't been all smooth sailing for OSS adoption. Fewer respondents say they are deploying OSS in production this year than last year -- 90 percent versus 95 percent -- due to management challenges (44 percent), support concerns (38 percent) and lack of trust in OSS technology (34 percent). Significant opportunities exist to improve OSS packaging and the security of OSS in production."

The aforementioned risks and concerns primarily revolve around security, of course, and that holds true for this report just as it did in VMware's first such report last year (and in just about any other OSS usage report you can find).

"Security concerns and perceived risks increased this year, discouraging more companies that use OSS in development from using it in production," the report said. "Almost all stakeholders surveyed have concerns about production use of OSS. Two of the top three concerns involve security and the OSS community, while the top two security risks identified pertain specifically to security vulnerabilities."

Along with security, those aforementioned management, support and trust headwinds are also major concerns that contributed to that drop in production OSS usage.

"When we asked what was keeping a growing fraction of stakeholders from production deployment, many (44 percent) selected we're still figuring out how to manage OSS in production," VMware said. "However, 38 percent chose we don't see sufficient support for open source software in production environments, and 34 percent chose we don't trust open source software for production environments.

"Last year, 46 percent of respondents selected we have a policy against open source software in production. This year, that number declined to just 25 percent. This dramatic change is not just an artifact of the inclusion of smaller companies. Only 35 percent of stakeholders from companies with more than 10,000 employees now have a policy against open source. These are the companies you might expect to be most cautious and policy-bound."

Despite respondents reporting a notable uptick in security risks across the board this year, and despite those management, support and trust concerns, VMware reported that OSS has basically fulfilled its promise, with organizations using OSS stating OSS expectations align closely with actual benefits.

"Sometimes, you learn a lot by asking the same question from slightly different angles," the report said. "This year, in addition to asking, 'What benefits does your organization realize from running open source software in production?,' we also asked the question, 'Why does your organization use open source software?' This allowed us to understand how closely the reasons for choosing OSS match the reported benefits, and the answer is VERY CLOSELY. There's a strong correlation for each of the top five benefits. In particular, 75 percent said that cost efficiency was a reason for using OSS, while 76 percent said it was a benefit of using OSS. While OSS can be free to use, many question whether the 'all in' cost of owning and operating OSS is favorable. This survey demonstrates that in real-world production environments, companies find OSS to be cost efficient."

When asked what types of OSS was being used, the top answers were:

• Database or cache (e.g. MySQL) -- 75 percent
• Runtimes (e.g. Jave, node.js) -- 71 percent
• Operating systems (e.g. Linux) -- 70 percent
• Container orchestration (e.g. Kubernetes) -- 59 percent
• Software delivery (e.g. Jenkins) -- 48 percent
• Line of business software (e.g. Wordpress, ERP, CMS, eCommerce) -- 45 percent
• Logging and monitoring (e.g. Prometheus, ELK stack) -- 44 percent
• Management tools (e.g. Redmine) -- 28 percent
• Other -- 3 percent

The report also devoted one of its four main sections to discuss tools, tasks and teams, with a focus on packaging.

"In 2022, packaging OSS remains difficult and time-consuming, with processes dominated by too many tools, too many tasks and too many teams," VMware said. "For companies using or considering the use of OSS, this is a key area where optimization -- either by choosing better tools or by finding commercial sources -- may provide significant benefits.

"Last year's report found that too many tools, too many (manual) tasks and too many teams were involved in packaging OSS at most companies. Little has changed this year," the report continued, listing these data points:

• Tools. 70 percent of companies use two or more tools, with 36 percent using 3 or more. The most common behavior appears to be the use of two tools at 34 percent.
• Tasks. A large number of tasks are performed before OSS goes into production, including functional testing (performed by 68 percent), load testing (52 percent), scanning for CVEs (48 percent) and building a software bill of materials (34 percent). Companies with 100 employees or fewer are less likely to perform these tasks: functional testing (57 percent vs 68 percent), load testing (37 percent vs 52 percent) and scanning for CVEs (34 percent vs 48 percent).
• Teams. Packaging tasks remain split between Development (60 percent), the DevOps team (60 percent), IT operations (47 percent) and Platform operations (27 percent). Once again, multiple teams appear to be involved in OSS packaging. As company size increases, the burden of packaging shifts from Development (declines from 65 percent to 55 percent) to the DevOps team increases (from 46 percent to 66 percent).

Many of the VMware report's findings are similar to a recent report from Tidelift, which specializes in managing OSS supply chain health and security. Security was paramount in that report, too, though it also addressed government requirements.

"Security is open source developers' most urgent challenge, while complying with government requirements is an emerging concern," the Tidelift report said. For more on that, see the July Virtualization & Cloud Review article, "Security-Conscious Open Source Devs Now Wrestle with Government Requirements."

VMware commissioned Dimensional Research to conduct the survey for its report, which was published earlier this month. The survey polled 1,198 OSS stakeholders from a wide range of industries and job levels, representing a mix of professionals in IT development and operations roles, including technology executives, team managers and individual contributors. While last year's survey focused on companies with 500 or more employees, this year's survey was expanded to include companies of all sizes.