Resources Blog Talking Turkey in Texas: Open Source Governance Lags

Talking Turkey in Texas: Open Source Governance Lags


Deep in the heart of Texas, I was leading a panel discussion at the Lone Star Application Security Conference (LASCON) a few weeks ago. The panel was “talking turkey” the importance of application security and open source software development, when the conversation led to a discussion about software supply chains.

One of the panelists remarked that consuming open source components to assemble an application was similar to sourcing individual physical parts to assemble a finished product -- be it a car, a medical device, or a toy. The discussion then led to remarks about manufacturers being able to identify recall at-risk parts in their products -- similar in nature to the Takata air bag recall for millions of vehicles that has recently been in the news.

Then it struck me as to how immature our software supply chains are today when assembling, monitoring, and tracking open source components when compared to other industries. I shared with the attendees (since we happened to be in cattle country), that it was somewhat surprising that beef distributors have more advanced supply chain management capabilities than our software industry, when it comes to managing at-risk open source.




Think about it. If a beef distributor finds E. coli has contaminated their beef supply, they can track the tainted beef through each distribution point, down to the store in my neighborhood, and down to the bar code of the package on their shelves. They can then remove the tainted packages and replace them with safe alternatives from the same or another supplier.

By comparison, the vast majority of companies we surveyed earlier this year did not have formal open source governance practices in place:

  • 57% had open source governance policies in place (but only 68%) followed them

  • 63% did not track changes in vulnerability data for the components they used

  • 60% did not keep a complete inventory of the open source components, including all dependencies, used in their applications

This means, if a new vulnerability were announced, only 40% of firms might have a chance to track down that component and replace (i.e., recall) it successfully. Today, we cannot image not having the ability to track down contaminated beef, tainted medicines, or faulty cars.

Screen Shot 2014-11-19 at 4.52.10 PM.png

Earlier this month, Gartner VP, Earl Perkins, published a new report discussing predictions for 2015. In the report he remarked that supply chain security failures will force 50% of businesses to negotiate contracts with suppliers to share risk and liabilities. (The Gartner report is only available here, for those with a subscription to their research.)

While Gartner believes this will happen by 2020, I would not be surprised to see this contract requirement much sooner than that. I don’t think we will be able to get through five more years of Heartbleed, Bash, Poodle, and Struts before open source vulnerabilities and liabilities are pulled to the front line. This is especially true for companies that include known vulnerable components in their software today. When known vulnerabilities are published and available to these businesses, any breach that stemmed from that vulnerability should have some level of liability associated with it.

It is time to improve the fundamentals around software supply chain management. If we can’t put faulty airbags in cars, or we need to remove tainted beef from store shelves to protect consumers, I can’t see why we wouldn’t have to monitor, track, and trace vulnerabilities in our software products.

Can you?

A special note to Wishing all of my readers and followers in the United States: please have a very Happy Thanksgiving. Enjoy every bit of the holiday with your friends and family!


Image credits:,

Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.