<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Tidelift Study Finds the Majority of Organizations Struggle with Open Source Software Supply Chain Security and Maintenance

Most urgent challenges for large organizations include identifying and resolving security vulnerabilities, making good decisions about when to upgrade components and frameworks, and complying with new government requirements
April 13, 2022

BOSTON, April 13, 2022 — Tidelift, a leading provider of solutions for improving the health and security of the open source behind modern applications, today released the 2022 Open Source Software Supply Chain Survey Report, providing critical insights into the state and practice of open source software supply chain management. 

This comprehensive study of nearly 700 technologists, now in its fourth year, explored the most urgent challenges development teams face when building applications with open source. It also reveals new insights into how confident technologists are in their organizations’ current open source management practices, and in the open source components and languages they use more generally. Further it highlights how organizations are employing emerging open source management best practices, including the use of software bills of materials (SBOMs) and repositories of approved open source components. 

“Open source is now the de facto standard application development platform and is a proven driver of business success and innovation. Yet as its popularity grows, the challenge of helping development teams manage open source health and security becomes exponentially more difficult,” said Donald Fischer, chief executive officer, Tidelift. “This year’s survey data demonstrates that organizations are beginning to better understand both the challenges stopping them from gaining full benefit from open source and the management best practices that will help them overcome those challenges.”

Key findings: 

Security is technologists’ most urgent challenge, while complying with government requirements is a rising concern for large organizations.

  • Security is the most urgent challenge (30%)—and the larger the organization, the more likely it is to be the most urgent (35% of the largest organizations named security the most urgent challenge).
  • Almost half of the largest organizations with more than 10,000 employees are challenged by complying with government requirements (48%), with 13% naming it the most urgent challenge (almost four times more than in smaller organizations).
  • The largest organizations are struggling across the board with issues related to managing open source. Every challenge identified was cited by nearly half or more respondents.

Only 15% of organizations are extremely confident in their open source management practices; the majority have some concerns about keeping open source up-to-date, secure, and well-maintained.

  • The majority of respondents are somewhat confident (62%), while 22% are not very or not at all confident.
  • Organizations currently using software bills of materials (SBOMs) are generally more confident in their open source management practices than those not using them.

  Getting approval to use new open source components in large organizations is often slow and tedious.

  • The majority of organizations (61%) have some sort of approval process for introducing new open source components. The remaining 39% of organizations have either no process or an informal process that does not require authorization.
  • In the largest organizations, an even higher percentage (78%) require some sort of authorization process for introducing new open source components while only 8% have no approval process at all.
  • Approval takes longer in the largest organizations, with 56% of organizations over 10,000 employees reporting approval takes a week or more.  

Only 37% of organizations are aware of new government software supply chain security requirements around security and SBOMs.

  • 37% of organizations are aware of the White House executive order on cybersecurity and the responsibilities it places on organizations selling to the government.
  • Many of these respondents (42%) believe current software supply chain security incidents like SolarWinds have had a large or extremely large impact on how their organization approaches application security.

Many organizations are already using or piloting the best practice of building centralized repositories of approved open source components.

  • 65% of organizations are already using or actively piloting centralized repositories of approved open source components. 
  • This percentage rises to 75% for the largest organizations over 10,000 employees.

Receive a copy of the full survey report here.

About Tidelift:

Tidelift helps organizations effectively manage the open source behind modern applications. Through the Tidelift Subscription, the company delivers the tools, data, and strategies powering an inclusive and organization-wide approach to improving the health and security of the open source software supply chain. Tidelift enables organizations to move fast and stay safe when building applications with open source, so they can create more incredible software, even faster. https://tidelift.com/ 


Kristen Wiltse
KW Communications

New call-to-action