According to VMware, there are calls for better security practices on software supply chains as new security concerns rise. Software supply chain risks have proved to be the major factor driving many small and big businesses away from the open-source software supply chain. Techradar even reported that they are notices for businesses to avoid using open-source software because of its security risks. Analysts say that the majority of the increasing security risks of the open-source software supply chain are because of the number of its components.
A report made by VMware shows that open-source software supply chains have helped many businesses both in productivity and efficiency levels. Even stakeholders of different companies testified that their companies used open-source software for one service or the other. Another area where open source software supply chain proved useful for businesses is in terms of support for large user communities and increased flexibility.
The VMware report also showed that some particular software did better than the rest. In 2022, the biggest niches in open-source software were database or cache, operating systems, runtimes, and container orchestration.
Small companies say open-source software is indispensable to their business
Small companies are not left out in using open-source software supply chains in 2022. New data shows that about 84% of companies in 2022 used open-source software. When businesses were asked which major factors led to the downhill route open source software supply chain took, they mentioned three. Apparently, management, support, and trust were the major headwinds faced by the open-source software industry.
Data by VMware revealed that 44% of stakeholders said management was the major challenge in using open-source software. About 38% said they lacked support when using open-source software. Another 34% said the trust was their biggest problem with the open-source software supply chain. Because of the different components that are usually contained in an open-source software supply chain, trust is a big issue.
The use of community OSS declined while commercially supported OSS increased
A survey among companies showed that more organizations were interested in commercially supported open-source software than community supported. This surprises tech analysts, as there were speculations of a decline in using commercially supported OSS. The survey was done among companies that have more than 500 employees.
For 2022, about 70% of companies showed interest in community open-source software, compared to 66% in 2021. Further details on this survey showed that smaller companies preferred to use OSS that are community supported, while big companies preferred commercially supported OSS.
Security risk still dominates despite the benefits
The number of organizations interested in using open-source software has reduced from 95% to 90%. A study showed that many investors and executives of companies have so many concerns about the rising security risks of OSS. Trusted tech platforms have revealed some of the companies’ fears and concerns about open-source software supply chains’ new vulnerabilities. About 57% of these companies were concerned that most open-source software supply chain vulnerabilities had no guarantee of being patched. Another 53% said it was difficult to keep up with open-source software supply chains’ security vulnerabilities. 39% mentioned that it was hard to figure out the exact content they installed and how to keep it up to date. 35% alleged that changes that occur in open-source software supply chains happened so fast it was difficult to keep up with them. 33% and 29% of companies said lack of control and processes was what they feared while using OSS.
Security Patches take forever to deploy
Many organizations and businesses complain that it takes too long for security patches to be deployed. This is a major issue companies face with open-source software supply chains. About 61% of open-source software takes more than 24 hours to complete an important security update. More than 24 hours is quite a long time for security patches as open-source software is very vulnerable to security attacks within that time.
From a trusted source, about 12% of open-source software took more than a week to deploy vital security patches. Taking forever to deliver critical security patches is one of the major reasons companies are moving away from using open-source software. Cybercriminals might exploit loopholes if an open-source software supply chain is left vulnerable for as long as 24 hours.
VMware claimed that the major reason why critical security patches took a long to get was due to the side effects of OSS packaging. Several organizations have complained about how difficult it was to track the dependencies installed by package installers. They said they found it hard to know if the security vulnerabilities they faced were due to the dependencies installed with an OSS. Open-source software providers should look forward to making it simpler for organizations to track dependencies.
Companies offer security capabilities that will help reduce OSS security risks
Companies have provided some recommendations that they think will help solve the growing security concerns of OSS. Among the things they mentioned as recommendations, access to immediate security patches topped the list. About 60% of companies said it would be much easier to manage the risks of OSS if they had access to critical security patches within a short time. They made their point known, saying that trusted security patches to operating system components, dependencies, and applications will help manage risks. Another 55% said that if all scans can have centralized visibility, it will help to simplify security audits. Only about 51% of these companies said that automated virus scanning and CVE for every container would contribute to managing security risks.
From security analysts, companies providing open-source software will have to integrate these suggestions made by different organizations. While open-source software supply chains remain indispensable to many businesses, increasing security concerns could mean decreasing OSS usage.
