The State of Software Supply Chain 2022
3 min read
VMware Tanzu recently released the state of software supply chain which is focused on giving insights into the adoption and supply of open source software. Over the past year, significant vulnerabilities have turned up in both commercial and open-source software.
The survey was taken by a mixture of professionals in IT development and operations including CTOs, managers, and individual contributors. The survey was taken by 1,198 OSS stakeholders from a wide range of industries and job levels.
Here are some key takeaways from the report:
Open Source fulfills its Promise
- 99.8% of the survey report that their organizations benefit from using open-source tools. Five of the benefits include cost efficiency, flexibility, large community support, productivity, and teams that can work with preferred technologies.
- While looking at how OSS benefits small companies, they experience the same benefits as larger companies do.
- When asked why organizations use OSS tooling, 76% said cost efficiency was a major reason. Almost 89% of respondents recognize cost efficiency as a benefit.
- The most used open sourced techonoglies inculde database/caches(75%), runtimes(71%), operating systems(70%) and container orchestrators(59%).
- Smaller companies are less likely to use open-source tools for container orchestration, software delivery, and logging and monitoring. They are more likely to use open-source business software including solutions like ERP, CMS, eCommerce, and WordPress.
Open Source Software Headwinds
- While organizations benefit from using open-source tools, there are certain headways as well. This year's survey had a 5% drop when it comes to using open-source software in production.
- The biggest headways in the adoption of open-source tools include a lack of management, not enough support for open-source in production environments, and a lack of trust.
- In comparison with last year's report, fewer companies have policies against using open-source software in production. Yet only a few companies are using OSS in production.
- There seems to be greater adoption of commercially supported OSS over the community version of the software.
Security Risks Dominate
- Security concerns and perceived risks have increased this year which is discouraging companies from using OSS in production. 94% of the respondents expressed concern with running OSS in production due to security.
- The biggest concerns include a lack of good processes for using OSS in production, and difficulty in knowing what exactly is installed and where to keep it all up to date. More concerns include the inability to evaluate risks due to rapid changes, and a lack of control.
Tools, Tasks, and Teams
- Packaging OSS remains difficult and time-consuming. For using or considering using OSS, this is a key area where optimization may provide a lot of benefits.
- When asked to select the methods used for packaging, 56% say they use software the community has already packaged, and 55% package open-source software internally.
- Companies with 100 employees or fewer are less likely to package open source software internally (47% vs 55%) but also far less likely to purchase pre-packaged open source software (17% vs 28% overall).
- Compared to last year, packaging challenges have been on the rise. Difficulties to track vulnerabilities have increased by 3 percentage points to 55%. Other issues include difficulties in tracking dependencies and too many security policies.
- A side effect of all the complexity associated with packaging is that it takes significant time to deploy critical security patches.
- When asked about software packaging capabilities that would improve security, the top answers were immediate access to trusted security patches, centralized visibility to scans, and automatic CVE and virus scanning for every container.
TLDR;
An overview of the reports shows that companies continue to choose open-source software due to cost efficiency, flexibility, and community support.
Compared to last year, fewer folks are deploying open-source software in production due to management challenges, support concerns, and a lack of trust.