In a new technology research paper, expert analysts from the International Data Corporation (IDC)—Al Gillen, group vice president, software development and open source; Jim Mercer, research vice president, DevOps and DevSecOps solutions; and Katie Norton, senior research analyst, DevOps and DevSecOps—shed light on the increasingly prominent role played by automated tooling technology in ensuring secure open source software (OSS) supply chains.
Research by IDC shows that OSS is no longer a fringe technology used by bleeding-edge risk-takers, but has become a mainstream technology in building applications, and its use will only increase going forward. So, it has become imperative for organizations to find a way to manage their OSS supply chains to ensure that components pulled into an application at build time are current, secure, and not bringing with them dependencies of unknown origin.
Several businesses seem to have faced a security compromise because of OSS usage, as is demonstrated by a survey conducted by IDC among 203 IT professionals who use OSS in some capacity. Over two-thirds of the respondents reported that they have experienced an OSS-associated security compromise or vulnerability over the last two years. IDC suggests organizations can build a more secure approach to develop applications using OSS, by incorporating some key tenets, such as developer-centric design, ease of use, performant operations, accuracy, prioritization, dashboarding capabilities, and integration with other tools and platforms.
The paper predicts that the ability of AI-assisted pair programming tools to leverage knowledge gleaned from vast amounts of publicly available OSS code will likely lead to greatly accelerated development speed and further increased use of OSS content. In addition, the analysts also state that the construction of new applications through the integration of curated OSS content with internally generated code aligns with the larger trend of organizations taking a digitally innovative approach to reimagine their businesses and becoming a software-first company. But unlike software that is written in-house, OSS components that are acquired and integrated, as well as turnkey applications built from OSS, may not have a simple lineage. They may be covered by multiple OSS licenses and have dependencies that are of suspect quality or pull in out-of-date components, posing additional challenges and responsibilities.
Lastly, the paper sheds light on how VMware Application Catalog—a cloud service from VMware that enables customers to build a private catalog of custom packaged open source application components that are continuously maintained and verifiably tested for use in production environments—can be an answer to the OSS supply chain security needs of many organizations.
To get the full paper and understand how you can leverage automated tooling to build a secure OSS supply chain, download the IDC Technology Spotlight Ensure Secure Open Source Software Using Automated Tooling, sponsored by VMware.