The Software Intelligence Report: What You Need to Know About Open Source Software

by

Open source software offers enterprises speed, efficiency and cost savings—starting with acquisition and extending to rapid deployment and support. And it’s ubiquitous. Did you know that your BFF Netflix is built on open-source software?

According to Linux Foundation’s estimates, teams that use OSS can save more than 50% on costs incurred from purchasing commercial solutions. But open source users also face some serious challenges and responsibilities—just ask Equifax, another well-known brand. As we saw with the Struts vulnerabilities that ultimately exposed Equifax, software quality issues that prevail in open source components are more easily exploitable by hackers.

We’ve Put OSS to the Test

So even though evangelists are quick to cite reliability and enhanced security among the established virtues of OSS, the category warrants constant scrutiny: OSS can and should be subject to the same rigors the development community applies to commercial and proprietary software. That’s why we’ve created the Software Intelligence Report on Open Source Software Projects. I’ve worked closely with CAST team members Michael Muller and Nagaraja Adiga on this evaluation of OSS structural quality–the first of what we plan to be a regular series of in-depth analyses, timed to current events and trends in the development world.



And we’re very interested in feedback from the open source community. If you have any comments on the findings of our research, please let us know!

It’s incredibly important for organizations to have visibility into the quality of OSS that supports business applications. With this in mind, the Software Intelligence Report benchmarks the overall quality of OSS compared to software built in-house or by outsourced teams. The report looks to identify software risks—like the ones that have put Equifax and other organizations on the defensive.

OSS Security: Serious Highs and Lows

Our deep dive into 61 different open source projects–75,000 source files and 8.9 million lines of code–was particularly preoccupied with security issues.

The good news is that OSS scores 93% compliance among those projects analyzed—7% higher than overall industry findings. However, six OSS applications in the report score lower than the four purposely non-secure applications on the rosters. These significant outliers are at high risk of being exploited by hackers.

We looked into the software health of various OSS apps by breaking them into categories. The highest scoring apps include Analytics (99.2%!), Framework, Cloud/DevOps, while the low scorers include Blockchain, programming language and Database apps.

Adding to these gaps, we found that OSS Frameworks scored worst on system-level rules. This can lead to more prevalent outages and successful hacker activity (ex. the Equifax breach). Frameworks—the basis for business applications– are probably some of the more exploited OSS, and hackers know that. This also supports the statistic that system-level rule violations are the root cause of more than 90% of outages in production.

Other critical metrics in the report include:

  • Transferability. In the game of making software more easily changeable over time, the winners are Cloud/DevOps and Blockchain. Low scorers: Analytics and Security.
  • Changeability. Here, Blockchain projects tend to violate more critical rules. This is a concern for the long term as the technology spreads and needs to evolve more quickly. Winners: Cloud/DevOps projects, likely due to their smaller codebases.
  • Robustness. Blockchain, cloud/DevOps and Programming Language score highest for critical rules in this category. Low scorers: Database and Security applications.



The Looming Question: So What about Bitcoin?

Blockchain applications score great on robustness, as noted here, but poor on efficiency and security. So does this low efficiency score have implications for the future of Bitcoin mining? That process is designed to be resource intensive and difficult, so the number of blocks mined each day remains steady. Our findings also confirm that Blockchain apps are more secure as part of a distributed ledger and can handle heavier workloads—they’re nearly impossible to crash.

Explore the Findings

Looking at our overall research, we acknowledge that the vulnerabilities we’ve identified aren’t necessarily definitive—but they’re directional. Read them for yourself. We hope you’ll agree that as OSS continues to proliferate, gathering software intelligence on these apps must become an essential enterprise best practice.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|