Open Source Driving DevOps Automation
Heightened awareness about the security risks associated with open source software has increased use of disciplined DevOps practices that have improved application quality and developer productivity, a software supply chain survey finds.
To keep pace with the proliferation of open source components, the survey released this week notes that agile DevOps teams are increasingly relying on machine automation tools to monitor the quality of open source software flowing from development to production applications.
Vendors like Sonatype, Fulton, Md., have capitalized on the growing popular but buggy open source software by offering management tools to monitor enterprise supply chains while boosting developer productivity. "Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts," Sonatype CEO Wayne Jackson noted in releasing the company's annual survey.
Proactive governance of DevOps practices has reduced the introduction of defective open source components by 63 percent, the company asserts.
Despite daily reports of security breaches, the supply chain survey found that the number of downloaded components with vulnerabilities actually decreased slightly over the past year. Components with known vulnerabilities declined to 5.5 percent (1 in 18) from 6.1 percent the year before.
Sonatype attributes the slow but steady decline in known vulnerabilities to supply chain "hygiene" that has improved overall quality over the last three years.
When bugs do get through, the survey found that software teams are often slow to remediate: Only 15.8 percent of open source projects fix vulnerabilities, with the mean time to remediation extending to more than seven months.
That reality often places the onus on overworked DevOps teams to actively monitor open source projects as developers rely more heavily on these components. For these and other reasons, tool vendors such as Sonatype claim they are seeing growing demand for their solutions.
As the deployment of applications based on open source software skyrockets, the survey also stresses that government and industry standards groups are releasing new guidelines intended to improve the security of software supply chains. As more applications are developed using open source code distributed via Docker containers, industry analysts predict vendors of so-called "DevOps-native" automation will see growing demand for their tools.