In its 2020 State of the Octo-verse report, Microsoft revealed that there were 60 million new repositories created on GitHub, more than 56 million developers on the open source development platform and 1.9 billion contributions. That availability is translating into an explosion in the use of open source content in commercial software development, with 55% of the scanned codebase files in an average audit by Revenera’s team in 2020 being attributed to open source components. It’s a resounding vote of confidence for open source’s place in product development.
That said, its more pervasive and mission-critical use underscores the urgency of making open source governance a priority in 2021. Revenera’s audit team uncovered 1,959 issues (risks presented by either security or license compliance) on average per audit in 2020, compared with 662 in 2019 — an increase of 196%. As a result, the demand for enterprise visibility has been heightened, with lots of stakeholders necessitating faster and more in-depth scanning to mitigate risk.
That’s a tall order – but having a handle on what may be in store can certainly make it all more manageable. To that end, in a recent webinar with DevOps.com, Alex Rybak, Director of Product Management at Revenera, and Russ Eling, founder and CEO of OSS Engineering Consultants, shared ten predictions for open source governance in 2021.
- The “shift left” movement continues to push scanning capabilities further down to request and design phases of development so that engineers catch and fix issues in open source code as early as possible. Software Composition Analysis (SCA) processes will begin to mimic automated test cycles.
- Continued concerns over data privacy, security and product safety, coupled with OpenChain receiving ISO certification (ISO 5230) to put more clarity around open source licensing, will push software vendors to provide a full asset portfolio view and chain of custody for identifying components that may present vulnerabilities. These assurances will increasingly become part of software contracts between vendors, customers, and partners.
- Companies will continue to step in to fill a gap around training for open source licensing and security coding because the curriculum is still lacking at even the world’s best universities for computer science. Training will begin to resemble standard HR training courses – being broad in scope and similar in design and delivery – so that engineering does not bear sole responsibility for open source governance.
- Being able to discover and disclose packages won’t be enough, and the need to get down to code fragments and partial sets of files from a repository will fuel a greater demand for depth and automation to deliver a Bill of Materials (BOM).
- As interest in the BOM grows beyond legal and security teams, companies will seek to unify security, compliance and engineering scanning for a unified BOM across the system that can be filtered from the top down or bottom up to see components that are under active litigation, things that aren’t actively maintained and more.
- Smaller repositories will continue to launch, but there will also be continued consolidation, with GitHub in a large way ruling them all, as all popular repositories point back to GitHub for the storage of source code behind the packages being delivered.
- As M&A accelerates, so will the pace at which overviews and targeted analysis are expected, evidenced by the fact that underwriters are now putting clauses in contracts about open source management practices and the BOM.
- As value stream management gains a stronger foothold to enable speed and a focus on tasks that lead to customer value, there will be a need to balance the tradeoff between enabling faster releases and depth and completeness for delivery.
- There will be a shift to real-time SCA lookups and advanced filtering capabilities to collect and focus on the most relevant content as the volume of content continues to explode and collecting it all isn’t feasible or necessarily prudent.
- With the value of SCA cemented, 2021 will see a shift toward deployment, with companies looking to both the cloud and virtualized deployments for ease and better computing resource management.
Getting a handle on these trends will help organizations develop robust governance processes in 2021 so that developers can continue to reap the many benefits of open source software securely. Rybak and Eling offer many more tips for putting these trends into action at your business in their one-hour webinar. Listen to the full webinar here.