Earlier today Sonatype released the results of their annual survey. The survey looks at the extent to which developers use open source components, with a particular focus on how they balance the competing needs of speed and security. The data makes it clear that security is very often not the priority.
The results of the survey show the massive extent to which developers now rely on components. Of course, this has been the case for many years, but the full maturation of the concept of component assembly rather than code writing is well illustrated here.
The more concerning figures to rise out of this study are those relating to security procedures. Again, for many developers it will come as no surprise to hear that well conceived open source policies are scarce and that security vulnerabilities are not made a big deal of in many companies. Yet custom analysis Sonatype performed at out request showed that things may be worse than even they believe. Sonatype investigated exclusively for us and found that the number of serious software vulnerabilities (CVEs) arising from components has rocketed in recent years.
Seeing those facts displayed graphically like this, in direct association with actual practices, encourages a sense of urgency on this question. What practices do we need to put in place to keep on top of the security of our projects in the age of components? Sonatype have provided one answer to that question, with a series of good practice suggestions at the end of their survey.
For more discussion, see our article in InfoWorld today.