FINAL WORD noting that it can take up to a month – even when a patch addresses a critical issue – teams are right to prioritise security during the selection phase .
Organisations using open source need to increase investments in SCA
The ability to patch any software starts with knowing that you ’ re running a version of that software . Without the use of a software composition analysis ( SCA ) tool , which is designed to identify open source usage , knowing where open source components are used and what the current patch status of each component is can be a challenge . The survey respondents indicated that only 38 % were using an SCA tool , which in addition to providing an inventory of open source usage , would help teams quickly identify outstanding patches . As to the frequency of when the patch is applied , that will be something governed by the release cycle and QA effort employed by each team . The results also indicate that corporate adoption of SCA tooling is still at a relatively early stage . In its 2020 Market Guide for Software Composition Analysis report , Gartner notes that SCA usage is in the early stages of adoption , but that interest in SCA is growing rapidly , with inquiries to the analyst firm on the topic increasing nearly 40 % from 2019 to 2020 .
Yet , 72 % of respondent organisations state they have a published policy for open source use . This leads into the question around how the other 35 % who aren ’ t using SCA are managing open source to comply with their policies . Are they employing manual processes to manage open source ? Are they depending on a developer honour system that policies are being followed ? DevOps principles are based in part on automated validation of the state of
Without policies in place to identify and manage the risks that legacy open source can create , organisations open themselves up to the possibility of issues in the software .
www . intelligentcio . com INTELLIGENTCIO AFRICA 75