DEV Community

Chris Grams for Tidelift

Posted on

Security is open source developers’ most urgent challenge, while complying with government requirements is a rising concern

In December of 2021, Tidelift fielded our annual survey of technologists who use open source to build applications at work. Nearly 700 people shared how they use open source software today, what holds them back, and what tools and strategies help them use it even more effectively.

In this post, we share the first of seven key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now at the link below.

In the wake of the recent Log4Shell vulnerability, it’s probably no surprise that security has taken center stage for teams developing applications with open source. (Want to learn more about what Log4Shell is and why it matters? Here’s a good place to start.)

Interestingly, because our new survey was in the field as the Log4Shell crisis was unfolding, we have data from both before and after the vulnerability was uncovered. We’ll share the pre- and post-Log4Shell data where it is meaningfully different.

In this year’s survey, we once again asked technologists to name the challenges their teams face when building applications with open source. We’ve been asking similar questions for several years in these surveys, and every year, the top three challenges named by respondents are related to maintenance, security, and licensing. In our earlier survey, maintenance had been the #1 challenge, but this year—unsurprisingly—security took over the top slot


This year, 57% of respondents named “identifying and resolving security vulnerabilities” as a challenge, while just over half of respondents selected the next two challenges— “making good decisions about when to upgrade components and frameworks” and “making good decisions about which open source components and versions to use.”

The challenges drop off after the top three, with 35% of respondents reporting that it is “unclear which open source components are safe / approved at their organization,” while 33% named “resolving licensing issues or complying with their organization’s license policy.”

We also asked for the first time, in the wake of the White House Cybersecurity Executive Order and other ensuing government actions, if complying with government requirements is a challenge, and almost a quarter of respondents (22%) indicated that it is. This percentage rose to an astounding 48% for large organizations with over 10,000 employees.

In a follow up question, we asked respondents to select the most urgent challenge from those they had identified. For organizations of all sizes, security was the #1 most urgent challenge, and the larger the organization, the more likely it was to be selected, with 35% of respondents from the largest organizations naming it.


For the largest organizations, complying with government requirements was an outlier as well; 13% of respondents named this as the most urgent challenge, almost four times higher than in smaller organizations.


One other top level finding: The largest organizations are simply facing more challenges developing applications with open source. The chart above shows that every single one of the challenges we named was reported by roughly half or more of respondents. Interestingly, even though it was not the most urgent challenge for large organizations, the most-cited challenge, “making good decisions about which components and versions to use,” is ubiquitous, selected by 87% of respondents from the largest organizations.

We compared our data from the previous survey to see where the challenges were getting more acute in these large organizations. Across the board, the percentages rose. For example, “requesting to use new open source components is a lengthy or confusing process” nearly doubled (from 33% to 63%) since our last survey. And “making good decisions about which components and frameworks to use” stayed in first, but increased in terms of percentage of mentions from 62% to 87%.


We hope you found some useful and actionable information in this blog post. Or if you don’t want to wait, download the full survey results today!

Top comments (1)

jayjeckel profile image
Jay Jeckel • Edited

Informative article. As for that executive order, it's a sad day when we developers let a meatspace government hand down standards by fiat. If there needs to be standards, then we'll come up with them, no need for old Joe to stick his nose in the matter. This is almost certainly going to end up like that GDPR nonsense; certain companies pushing the matter because they can make a few bucks off it, but in the end it all amounts to nothing more than unneeded headaches for devs and pointless extra clicks for users.