SOURCE: Sonatype


April 23, 2012 08:50 ET

Sonatype Survey Finds Enterprises Standardize on Open-Source and Component Use but Governance Issues Persist

Annual Survey Shows Usage and Increased Reliance on Open-Source Dramatically Increasing, but Policies and Infrastructure Still Lacking

SILVER SPRING, MD--(Marketwire - Apr 23, 2012) - Sonatype, the company transforming software development, today announced the findings of its annual Open Source Software Development Survey that looks to identify how organizations adopt, use and support open-source software (OSS) according to more than 2,500 developers, architects and IT managers across all industries, company sizes and geographic regions. The survey findings show that organizations of all sizes continue to adopt open-source at an accelerated pace, but lack of internal controls and flawed processes continue to be a challenge -- putting organizations at unnecessary risk.

Open-source is a strategic asset and has earned equal footing with proprietary software in the enterprise. Nearly 80 percent of those surveyed use open-source tools, half standardize on an open-source development infrastructure stack, and two-thirds contribute to open-source projects. Key to modern development practices is the use of open-source components to build mission-critical applications. While reliance on open-source components increases year-over-year, limitations on the visibility, control and management of their use throughout the enterprise continues to plague organizations.

"As open-source and better collaborative tools have increased reuse of software libraries and components it can be difficult to know what exactly is in your product," said Stephen O'Grady, Principal Analyst with RedMonk. "Sonatype's recent survey highlights the potential dangers of ignorance, and the need for better component intelligence."

Key Finding #1: Reliance on Open-Source Components Increases
The Central Repository ("Central") continues to be the software development industry's most widely used resource for the exchange of open-source components.

  • The average enterprise participating in the survey downloads more than 1,000 components each month from Central, with the volume from large banks and independent software vendors (ISVs) even greater.
  • Nearly 80 percent of survey respondents view Central as critical or important to their development efforts.
  • Similar to last year's findings, no best practices have emerged for component selection. 70 percent use web searches to find components.
  • Only 35 percent share they must adhere to corporate standards to identify components.

Key Finding #2: Management of Component Usage Increases
Open-source components are widely used as the building blocks for modern-day applications, but organizations currently have limited control over how they are selected or utilized. When compared to the 2011 survey results, which had a smaller survey pool of 1,600, we see corporate policies and governance practices on the rise, with regulated industries more likely to have policies strictly enforced.

  • Only 49 percent of those surveyed said they have an open-source policy in place.
  • The 2012 results show 20 percent, or more than 500 respondents indicating they were locked down and could only use approved components compared to the 13 percent, or 208 respondents, from the 2011 survey -- indicating an increase in component management as part of open-source governance policies.
  • When asked how components are controlled in development, 63 percent shared corporate standards aren't enforced or they have no standard in place, leaving development teams free to select the components that are best suited for their projects. In comparison, the 2011 survey showed an overwhelming majority (87 percent) were not subject to corporate standards.
  • 75 percent of large organizations (employing more than 500 developers) use a repository manager to better manage and control component usage.

Key Finding #3: Shortcomings in Policy Enforcement
While the percentage of organizations implementing open-source policies grew this year, a disconnect remains between development processes, component usage and policy enforcement. The lack of policy enforcement may be due, in part, to confusion over who owns or is responsible for monitoring and managing open-source usage.

  • 28 percent of respondents said responsibilities lied with the application development management department; the remaining 72 percent was split among IT operations, development teams, legal, risk and compliance, security, and the OSS/FOSS committee.
  • When asked how component licensing was enforced or restricted, 49 percent shared that they have no effective licensing policy in place and 25 percent indicated component usage is restricted based on specific licenses but dependencies are not examined.
  • Of those with corporate policies in place, 51 percent indicated their lack of support due to slowed development time, problems found too late in the process, unclear expectations or lack of enforcement.

The survey findings suggest an overwhelming desire by developers for a notification infrastructure -- a simple, non-intrusive way to determine if a component that is in use has changed in an important way, such as new version release or the discovery of a security flaw or defect.

  • 74 percent of developers rely on web searches and 66 percent said they review project sites to obtain update information. Respondents shared that due to the high volume of dependencies for each component (often tens or 100s) it's simply impossible to monitor and maintain accurate component intelligence.
  • The most alarming finding from the survey was a lack of visibility into the contents of applications in production. Only 32 percent of organizations maintain detailed records of the components, including their dependencies, used in production applications and most agreed how difficult it is to know when components and/or their dependencies are updated.

"The survey results confirm what we see and hear from our customers on a daily basis -- open-source has become the backbone of custom application development. Yet it brings with it a complex component ecosystem with no notification infrastructure in place. This leaves organizations exposed to security, quality and IP risks," said Charles Gold, CMO of Sonatype. "The compounding reality is that when issues do arise, the effects are viral while the fixes are not. Sonatype is focused on addressing these critical challenges by delivering a means for bridging critical awareness gaps and a platform for delivering knowledge directly into the tools that developers and development managers use every day."

For a complete view of the survey results and detailed information about the survey pool, organizations represented and methodology used, visit

About Sonatype Inc.
Sonatype is transforming software development by ensuring the integrity of the modern software supply chain. Sonatype's tools and information services improve visibility and control over component-based software development, enabling better collaboration between development teams for improved overall quality, while reducing the risks associated with security and licensing. Sonatype operates the Central Repository, the industry's primary source for open-source components, and is a leader in such open-source projects as Nexus, Apache Maven, m2eclipse and Hudson. The company was founded by Jason van Zyl, the creator of Apache Maven and is privately held with investments from Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: or follow Sonatype on Twitter @SonatypeCM.

Apache, Apache Maven and Maven are trademarks of the Apache Software Foundation.

Contact Information

  • Media Contacts:
    April Harned
    PR for Sonatype
    Email Contact