Loading

wait a moment

Open Source Usage Trends and Security Challenges Revealed in New Study

Open Source Usage Trends and Security Challenges Revealed in New Study

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the release of Census III of Free and Open Source Software – Application Libraries” (Census III) in collaboration with the Laboratory for Innovation Science at Harvard. The study identifies the most widely-used free and open source software (FOSS) as application libraries. Among its key insights, the study underlines the ongoing importance of open source collaboration.

Census III is the third study investigating the widespread use of open source software and provides the most comprehensive aggregation of data to date. Derived from over 12 million observations of FOSS libraries in production applications at more than ten thousand companies, the report highlights critical trends shaping the open source ecosystem.

The Census III effort was conducted in partnership with Harvard University and leading Software Composition Analysis (SCA) organizations, including Black Duck, FOSSA, Snyk, and Sonatype. This collaboration advances the state of open source research by combining insights and resources to better understand the value and security of the OSS ecosystem.

Key Findings of Census III Report

The report highlights several key trends and insights, such as:

  1. The use of cloud service-specific packages is increasing.
  2. There is an ongoing transition from Python 2 to Python 3.
  3. Maven packages continue to be widely used and there is an increased prevalence of NuGet and Python packages.
  4. Use of components from Rust package repositories have increased considerably since Census II.
  5. There continues to be a need for the use of standardized naming schema for software components.
  6. Much of the most widely used FOSS is developed by only a handful of contributors.
  7. Individual developer account security is increasingly important.
  8. Legacy software persists in the open source space.

Census III is authored by Frank NagleHarvard Business SchoolKate Powell, Laboratory for Innovation Science at HarvardRichie ZitomerHarvard Business School, and David A. Wheeler, Open Source Security Foundation (OpenSSF), The Linux Foundation.

To read the report, download the Census III of Free and Open Source Software – Application Libraries research study on the Linux Foundation website.

Supporting Quotes

Linux Foundation
“Understanding the health and security posture of open source software is a critical step to ensure its sustainability. Census III underscores the importance of identifying and supporting widely used open source components, complementing Linux Foundation projects, initiatives, and security-focused research, and it comes at a critical time as we navigate regulations like the Cyber Resilience Act. These insights are vital for prioritizing resources in our efforts to steward a secure and resilient open source ecosystem.”
– Hilary Carter, SVP Research, The Linux Foundation

OpenSSF
“FOSS is now ubiquitous, serving as a foundational infrastructure of society. However, its success has also made it a target for attackers seeking to exploit vulnerabilities. This study provides valuable insights that will help individuals and organizations worldwide prioritize their investments to significantly reduce both the recurrence and impact of vulnerabilities in FOSS – both unintentional and malicious. This marks a critical step in safeguarding our software supply chains against attacks and ensuring they deliver reliable, high-quality results.”
– David A. Wheeler, Director of Open Source Supply Chain Security, Open Source Software Foundation (OpenSSF)

Harvard Business School
“Free and open source software has become the backbone of the digital economy. However, understanding which projects are critical to sustaining the FOSS ecosystem is difficult since there is limited ability to centrally measure the most widely used packages. Census III provides deep and broad insights into this problem as it measures which FOSS packages companies are most heavily reliant on and offers guidance for organizations and individuals who want to invest to support and secure this essential public good.”
– Frank NagleHarvard Business School

Black Duck
“The ubiquity of FOSS as both foundational software and as an innovation engine demands that companies understand that the health of the FOSS they consume is a business risk just as any other supply chain risk. If there are only a handful of contributors to a critical component or if the supplier is effectively one anonymous GitHub user account, the cybersecurity and software hygiene decisions of those individuals could introduce unexpected business risks.”
– Tim Mackey, Head of Software Supply Chain Risk Strategy, Black Duck

FOSSA
“This third multi-party open source census from the Linux Foundation and Harvard is an important examination of the FOSS ecosystem, and I’m proud FOSSA was asked to contribute again. The report clearly reaffirms the ubiquity and continued growing influence of open source on the economy, but more than that, it plays a material part in the trend towards greater transparency. Government regulations, industry initiatives, and research like this are all instrumental in improving the software supply chain through open communication, which ultimately builds trust. On behalf of the thousands of organizations who use FOSSA and share our love of open source, thank you!”
– Kevin Wang, CEO, FOSSA

Snyk
“Free and Open Source Software forms the backbone of modern technology, yet its decentralized nature presents challenges in understanding its true impact and vulnerabilities. Efforts like the Free and Open Software Census are pivotal, combining community-driven data with analytical rigor to help the industry identify critical dependencies and prioritize investments. By sharing data and fostering collaboration among developers, organizations, policymakers and academia, we can secure and sustain the health of this invaluable ecosystem for the digital economy’s future.”
– Danny Allan, Chief Technology Officer, Snyk

Sonatype
“Sonatype is proud to contribute to the Census III effort as part of our commitment to strengthening the open source ecosystem. By providing critical data and insights into FOSS usage, we aim to empower organizations to make informed decisions about securing their software supply chains.”
– Brian Fox, Co-Founder and CTO, Sonatype

Background on Census Projects I & II
The original Census Project (“Census I”), conducted in 2015, centered on identifying critical software packages within the Debian Linux distribution that are essential to server operations and security. This initial effort provided a foundational understanding of the most vital components of the FOSS ecosystem, helping stakeholders prioritize their security and maintenance efforts.

Census II expanded the scope to include a broader analysis of language-level FOSS packages commonly used in applications developed by both private and public organizations. By broadening the lens beyond Debian, this phase captured a more comprehensive view of how FOSS is integrated into diverse applications and infrastructure, providing deeper insights into the dependencies that organizations rely on for their day-to-day operations.

Building on these efforts, Census III takes the initiative even further by leveraging anonymized usage data from leading Software Composition Analysis (SCA) partners. This collaboration allows for a more robust and data-driven understanding of FOSS adoption and security trends. With this enhanced dataset, Census III offers actionable insights to help stakeholders better prioritize resources and address critical security challenges within the FOSS ecosystem. This progression underscores the growing need for collaboration and coordination across the industry to sustain and secure the vital infrastructure that FOSS represents.

Additional Resources 

Download the report 
Join the webinar on December 5, 2024 at 8 AM PST to learn more directly from the authors of this report.

About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Media Contact
Jennifer Bly
The Linux Foundation
jbly@linuxfoundation.org

SOURCE The Linux Foundation