Open Source Driving DevOps Automation
Heightened awareness about the security risks associated with open source software has increased use of disciplined DevOps practices that have improved application quality and developer productivity, a software supply chain survey finds.
With open source software making major inroads in enterprise application development, a vendor survey by DevOps tool vendor Sonatype found that downloads of building block components such as Java and JavaScript continues to boom. The company argues that organizations that manage open source software components on the front end are improving developer productivity while cutting development costs.
Along with Java, JavaScript, Python and other popular open source components, the Sonatype survey also confirms the growing adoption of Docker application containers. The supply chain survey forecasts that demand for Docker components will soar to 12 billion downloads, a 100 percent increase.
To keep pace with the proliferation of open source components, the survey released this week notes that agile DevOps teams are increasingly relying on machine automation tools to monitor the quality of open source software flowing from development to production applications.
Vendors like Sonatype, Fulton, Md., have capitalized on the growing popular but buggy open source software by offering management tools to monitor enterprise supply chains while boosting developer productivity. "Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts," Sonatype CEO Wayne Jackson noted in releasing the company's annual survey.
Proactive governance of DevOps practices has reduced the introduction of defective open source components by 63 percent, the company asserts.
Despite daily reports of security breaches, the supply chain survey found that the number of downloaded components with vulnerabilities actually decreased slightly over the past year. Components with known vulnerabilities declined to 5.5 percent (1 in 18) from 6.1 percent the year before.
Sonatype attributes the slow but steady decline in known vulnerabilities to supply chain "hygiene" that has improved overall quality over the last three years.
When bugs do get through, the survey found that software teams are often slow to remediate: Only 15.8 percent of open source projects fix vulnerabilities, with the mean time to remediation extending to more than seven months.
That reality often places the onus on overworked DevOps teams to actively monitor open source projects as developers rely more heavily on these components. For these and other reasons, tool vendors such as Sonatype claim they are seeing growing demand for their solutions.
As the deployment of applications based on open source software skyrockets, the survey also stresses that government and industry standards groups are releasing new guidelines intended to improve the security of software supply chains. As more applications are developed using open source code distributed via Docker containers, industry analysts predict vendors of so-called "DevOps-native" automation will see growing demand for their tools.
Related
George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).