As highlighted in the InformationWeek blog DARKReading, a recent study assessing industry trends regarding open source software found that although 78% of organizations surveyed run part or all of their operations on open source software (only 3% of respondents reported not using open source software in any way), a majority of respondents had no formal policies or procedures governing the use of open source software. The study’s findings also highlighted a number of other specific ways the adoption of appropriate internal controls has not kept pace with the increasing use of open source software, leaving many organizations exposed to significant potential risks, including the following:

  • Tracking Use of Open Source Software. According to the study, less than 42% of organizations maintain an inventory of open source components. Tracking the use of open source software is the most fundamental function of an open source software policy. Accurate tracking enables an organization to ensure it uses open source components in accordance with license terms and that such use does not expose the organization to unnecessary risks.
  • Assessing Security Vulnerabilities. The study found that greater than 50% of respondents were not satisfied with their ability to understand known security vulnerabilities in open source components, and only 17% planned to monitor open source code for security flaws. Having an open source software policy in place which provides for a system of prior approval and tracking can enable organizations to more easily assess security weaknesses, preempt security issues before components are used in production environments, and maintain approved code to foreclose future security vulnerabilities.
  • Employee Contributions to Open Source Projects. The study found that only 27% of respondents had a formal policy in place governing contributions of code developed by its employees to the open source community. While permitting and encouraging employee contributions has many benefits to an organization, including promoting wider adoption of an organization’s technology and improving an organization’s standing with its customers, the press, and the open source community, organizations should have a formal policy in place that requires prior approval for open source contributions, including guidelines for approval and the licenses to be used for contributions.

The survey, the Ninth Annual Future of Open Source Survey, was published by Black Duck Software and North Bridge.