Reward versus risk

Modern applications are made up of a mix of proprietary and open source code, APIs, user interfaces, databases, operating systems, and various configurations. And the software supply chain is made up of every bit of code that touches an application or plays a role in its assembly, development, or deployment. Weakness in the code anywhere along the chain can create risk for the applications and the enterprises that use them. And since the OSSRA research shows that 84% of the codebases have at least one vulnerability, ensuring secure code is critical.

The benefits of using OSS include

Agility and faster development. Development teams can rapidly integrate new technologies into their software stack, in days and weeks rather than months and years.

Lower development and maintenance costs. Open source software is free to use, making it more cost-effective than commercial software, and it enables developers to start small and scale as it becomes necessary.

Focus on what your organization does best. Let developers spend their time and attention on the parts of the codebase that requires their expertise.

There are risks with open source software—as there are with code from any other sources—that IT teams and developers must consider. Open source code makes its way into applications in a variety of ways, such as developers using OSS in applications they design, third-party commercial code that includes OSS, and via outsourced software development. Because it is often developed by small communities and even volunteers, open source software isn’t always up-to-date. The code may not be actively maintained or have vulnerabilities that are discovered fixed.

One of the unique challenges of using open source code is the licensing requirements. Synopsys research shows that 54% of audited codebases had license conflicts. For example, if software is used beyond the scope of the license, it can result in copyright infringement. “Depending on the applicable license and your use case, it’s possible to trigger obligations to share proprietary source code, severely impacting your business value,” according to Decicco. The time and resources required to remediate these licensing issues can take time away from the enterprise’s core mission.