In-Depth

Open Source Application Development Breaks on Through

A majority of companies are standardizing on open source for their application development efforts, though they might not be effectively monitoring their use of open source.

• By Stephen Swoyer
• 05/07/2012

As of this year, a majority of companies are standardizing on open source software (OSS) for software development, according to Sonatype Inc., developer of Nexus, a repository manager for the Apache Maven build automation tool. In April, the firm published the results of its 2012 Open Source Software Development Survey.

In last year's survey, just under half (49 percent) of shops had standardized or were in the process of standardizing on OSS for application development. This year, more than half (52 percent) have done so, while an overwhelming majority (two-thirds) say they likewise contribute to OSS projects -- even if their corporate policies prohibit doing so.

The Sonatype survey collected responses from more than 2,500 developers, architects, and IT managers. It suggests that OSS software development tools are widely used in most enterprise IT organizations, even if they aren't recognized or sanctioned standards.

In its 2011 survey, for example, more than one-sixth of respondents (17 percent) agreed that although "a few" developers might be using OSS, it wasn't "widely adopted" across their organizations. In this year's survey, that number was reduced by more than one-third: just 11 percent of respondents say that OSS isn't "widely adopted" inside their organizations.

Sonatype markets Nexus, a repository manager for Maven. Not surprisingly, then, several of the questions on its survey concern issues near and dear to its heart -- such as component management and policy enforcement. For example, almost three-quarters (70 percent) of respondents say that they commonly use the Web to find open source Java components; slightly more than one-third (35 percent) use a repository search tool.

Obviously, Sonatype -- probably many IT organizations, for that matter -- would prefer that developers go about things differently. "The survey results confirm what we see and hear from our customers on a daily basis -- open source has become the backbone of custom application development. Yet it brings with it a complex component ecosystem with no notification infrastructure in place. This leaves organizations exposed to security, quality, and IP risks," said Charles Gold, CMO of Sonatype, in a statement.

For example, note Gold and Sonatype, just 32 percent of shops "maintain detailed records of the components, including their dependencies, used in production applications." The upshot, according to Sonatype, is that most organizations "lack visibility into the contents of applications [that they currently have] in production."