Companies of all sizes use open-source software as a key component of their software supply chain. However, there are new security concerns regarding the open-source supply chain. VMware recommends that companies adopt better packaging security.
The State of the Software Supply Chain Open Source Edition 2022 reveals that OSS clearly meets stakeholder expectations for cost efficiency (76%), greater flexibility (60%), as well as developer productivity (52%).
Despite these concerns, the number of companies willing to use open-source software in production environments has dropped from 95% down to 90%. Security is one of the most important concerns regarding OSS, particularly the ability to detect and fix vulnerabilities.
- At 61%, the number of vulnerabilities and bugs that depend on the community is higher than last year’s 56%.
- This is followed by an increase in security risks (53% vs. 47% last year), and a lack of SLAs to receive patches from the community (50% as compared to 42%)
OSS packaging is crucial to protect the supply chain. It involves adapting OSS so that it can be used internally. It has also become a major source of complexity and concern. This report shows that companies have too many tools and too many manual tasks involved in packaging OSS, which is preventing them from securing their supply chains efficiently.
Respondents were asked about software packaging capabilities to improve security.
- 60% of respondents would like to have immediate access to trusted security updates for operating system components, runtimes, dependencies and applications.
- 55% of respondents want central visibility to all scans in order to make security audits easier.
- 51% also want to automate CVE as well as virus scanning for each container
Companies should simplify packaging processes to improve efficiency and give packaging responsibility to one team.