Opens a new window
Open source software is everywhere, but Aberdeen’s analysis reveals that less than 10% of all issues are already known —and more than 20% are high risk.
Open Source Software is Everywhere: Benefits, Risks
Few would dispute that the use of open source software —i.e., publicly accessible source code which can be copied, inspected, modified, enhanced, used, and distributed as part of your own enterprise application development projects —has gone fully mainstream. For all but the smallest programs, it’s virtually certain that the developers in your organization are actively taking advantage of open source.
The incentives for incorporating open source software into your enterprise application development projects are plentiful, including:
- Speed –Developers can get immediate access to the functionality their own project needs, taking full advantage of the innovations already implemented and contributed by the open source community.
- Flexibility –Enterprise application development projects can be more independent from the roadmaps, schedules, and pricing models of traditional, commercially licensed software, with the ability to customize open source as needed for their specific requirements.
- Community –The quality of open source software can more readily benefit from the diversity of use cases and expertise throughout the entire open source community, not only in the addition of new functionality but also in the identification and remediation of defects.
At the same time, incorporating open source software into your enterprise application development projects can also introduce significant risks, such as:
- Licensing risks –Licensing risks can range from relatively0020simple compliance requirements (e.g., the obligation to include a copyright statement with your own code), to more complex and potentially costly intellectual property issues (e.g., the possibility of violating third-party intellectual property rights, or an unintended obligation to release your own proprietary code as open source software).
- Security risks –Security vulnerabilities in open source software have the potential to be exploited by attackers, which can in turn result in significant business impact from data breaches, unplanned downtime of key applications, lost productivity of users, and soon.
Your Organization’s Risk from Open Source Software: How Many P1 Issues are Lurking in Your Codebase?
The implications of the preceding discussion are straightforward: To fully realize the benefits of open source software, organizations must also understand the associated risks —and make well-informed business decisions regarding how those risks should be prioritized and addressed.
Just how many high-priority issues from your organization’s use of open source software are likely to be lurking unknown in your codebase? To provide fact-based insights into this important question, Aberdeen analyzed empirical data from the results of more than 120 software audits performed by a leading provider of Software Composition Analysis solutions. Across this diverse range of organizations and their respective codebases, Aberdeen’s analysis of real-world software audit results revealed that:
- The total number of issues discovered is surprisingly high: For every ten thousand lines of code, performing a software audit is 90% likely to discover between 0.5 and 10 total issues, with a median of1.
- The percentage of total issues that organizations already know about is shockingly low: Prior to a software audit, organizations have identified between 1.2% and 53.6% of the total issues in their codebase, with a median of just 8.1%. Said another way, a median of 91.9% of total issues in your enterprise application development projects are not known.
- Priority 1 (P1) issues represent a significant proportion of the total: Among all issues discovered by a software audit, P1 issues represent between 0% to 90%, with a median value of about 21%. Whether licensing-related or security-related, these are the risks with potentially devastating financial impact.
Readers should note that these empirically derived insights are presented as a range of possible values (i.e., lower bound, upper bound) along with an associated shape (i.e., as driven by a median or most likely value) —as opposed to falsely precise, fixed-point estimates based on averages. The latter type of analysis, all too common in high-tech marketing, actually provides no insights whatsoever about the risk. For example: How likely is it for the number of P1issues to be greater than the average? How likely to be greater than some specific threshold, which reflects the senior leadership team’s appetite for risk?
As technical professionals, we can and must do better than that. Understanding your organization’s risks from open source software, in terms of both “how likely†and “how much impact†(as risk is properly defined), is the key to making well-informed business decisions for what to do about them —which can start by investing in a Software Composition Analysis of your own codebase.
The results of Aberdeen’s analysis of empirical data from more than 120 software audits are represented visually in Figure 1. To provide a specific point of reference, the analysis is based on a Software Composition Analysis of 10 million lines of code.
Figure 1: Quantifying Your Hidden Risks from Open Source Software
Source: Analysis based on empirical data adapted from Flexera;
Aberdeen, January 2020
Figure 2 provides an alternative representation of the same analysis, in the form of exceedance curves —i.e., the x-axis represents number of issues, while the y-axis represents the likelihood to exceed that value. Exceedance curves are tailor-made to address the issues with “averages†raised earlier, and provide the senior leadership team with useful insights about a given risk.
As shown in Figure 2, based on a software composition analysis of 10M lines of code your organization can expect to find:
- Known issues (before audit) –Between 0 and 800 (median:106)
- Total issues (after audit) –Between 500 and 7,200 (median:1,060)
- P1 issues (after audit) –Between 107 and 1,400 (median:230)
Figure 2: Open Source Software “Issue Exceedance Curvesâ€
Source: Analysis based on empirical data adapted from Flexera;
Aberdeen, January 2020
Summary and Key Takeaways
- The ubiquitous use of open source software has both benefits and risks. The use of open source software has gone fully mainstream; it’s virtually certain that the developers in your organization are actively taking advantage of open source. For your enterprise application development projects, benefits of incorporating open source software include speed, flexibility, and the “force multiplier†effect of the open source community. At the same time, open source software can also introduce significant risks related to licensing and security.
- To fully realize the benefits of open source software, organizations must also understand the associated risks. Aberdeen’s analysis of empirical data from the results of more than 120 software audits performed by a leading provider of software. composition analysis solutions reveals that the total number of issues discovered is surprisingly high; the percentage of total issues that organizations already know about is shockingly low; and P1 issues represent a significant proportion of the total.
- Understanding your organization’s risks from open source software is key to making well-informed business decisions for what to do about them. To the extent that the risk described by Aberdeen’s generalized analysis is deemed to be unacceptably high, investing in a Software Composition Analysis of your own codebase is a straightforward and cost-effective place to start.
Opens a new window
Aberdeen Strategy & ResearchOpens a new window , a division of Spiceworks Ziff DavisOpens a new window , with over three decades of experience in independent, credible market research, helps illuminate market realities and inform business strategies. Our fact-based, unbiased, and outcome-centric research approach provides insights on technology, customer management, and business operations, to inspire critical thinking and ignite data-driven business actions.