Companies of all sizes and across all industries are creating software products and relying on open source code to do it. Both Forrester and Gartner, the industry’s leading research and advisory firms, claim that anywhere between 80%-90% of all commercial software developers use open source components within their applications. But how is open source usage accounted for? How is it managed? Or is it?
The Move from Blind Eye to a Governance Policy
Historically the answer would have been a blind eye and deaf ear turned to open source usage and an undocumented, unmonitored free hand given to developers to choose open source components at their own discretion.
Fast forward down the production line and these unsuspecting developers begin to notice that the excessive freedom they enjoy spells out more trouble than benefit as they pull open source components without checking for vulnerabilities, without considering vulnerability severity, with little knowledge of the licenses attached to their components of choice, and find themselves a few weeks or months down the line in a world of remediation hurt.
In today’s development climate, companies are questioning and negotiating the balance between getting their open source usage under control and managed in an automated, continuous and consistent manner, and leaving developers the freedom they need to productively do their jobs.
A Dialogue that Needs to Happen
Open source governance comes into play firstly as a conceptual idea. The idea being that an organization acknowledges the extent of its reliance on open source and agrees that there are too many risks involved in not knowing what components go into their code.
When the whens and hows of open source usage become real concerns, an organization starts talking amongst (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Anat Richter. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/best-practices-for-open-source-governance