IDC study finds most companies cannot secure open source software fast enough

Open source software runs just about everything these days, from cloud platforms to enterprise applications. But according to a new IDC study sponsored by Canonical and Google Cloud, plenty of organizations still have not figured out how to keep all of those moving parts secure. The survey of 500 IT decision-makers paints a picture of companies that know software supply chain security matters but continue to struggle with the basics.  

The reliance on open source is not slowing down. Seven in 10 organizations surveyed say it is extremely important for running mission-critical workloads. Lower costs remain the biggest reason companies embrace open source, but respondents also point to faster development, greater flexibility, stronger security, and quicker access to new technology.  

The problem is that using open source is a lot easier than managing it. The study found that 70 percent of organizations require critical vulnerabilities to be patched within 24 hours. Despite that aggressive goal, only about 40 percent are confident they can actually meet it. Meanwhile, seven in 10 teams responsible for patching spend more than six hours every week installing security updates, suggesting many organizations are still relying on labor-intensive processes instead of automation.  

It is not hard to see why teams are falling behind. Skills shortages topped the list of obstacles preventing organizations from improving security. Compliance requirements, aging infrastructure, tight budgets, and the challenge of managing multiple security tools were also among the biggest complaints.  

Another recurring theme throughout the report is visibility. Respondents ranked vulnerability and patch management as their biggest software supply chain challenge, followed by poor visibility into software dependencies. Simply keeping track of which versions are running where remains a major headache for many IT departments.  

One finding that Linux users may appreciate is where organizations place their trust. Although companies often pull software from GitHub, npm, pip, Docker registries, and other upstream sources, respondents said they would rather install software from operating system package repositories whenever the same version is available. That suggests businesses increasingly value software that has already been packaged and vetted by their operating system vendor.  

The report also shows that most companies are not eager to jump onto every new release. Only 15 percent upgrade production operating systems as soon as new versions become available. Most prefer to stick with existing deployments until they need new features or security support runs out, prioritizing stability over staying on the latest release.  

Artificial intelligence is creating another challenge. Sixty percent of respondents admit they have only basic security controls, or none at all, protecting their AI and machine learning environments. Nearly half also say they are highly concerned about securing their AI infrastructure as adoption continues to grow.  

The report naturally points readers toward Canonical’s products, which is not surprising given the sponsorship. Even so, the survey highlights problems that extend well beyond one Linux vendor. Open source has become the foundation of enterprise computing, but many organizations are still trying to catch up when it comes to securing the software they depend on every day.  

Support independent tech journalism

NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.

Support NERDS.xyz
Avatar of Brian Fagioli
Written by

Brian Fagioli

Technology journalist and founder of NERDS.xyz

Brian Fagioli is a technology journalist and founder of NERDS.xyz. A former BetaNews writer, he has spent over a decade covering Linux, hardware, software, cybersecurity, and AI with a no nonsense approach for real nerds.

Leave a Comment