Each year, Red Hat surveys IT decision-makers about the state of enterprise open source. And the company surprisingly encounters one or two results that it didn’t expect in the survey results, despite its thousands of interactions with IT professionals throughout the year.
In a recent post on the Red Hat blog, the company shared a number of surprising findings from this year’s The State of Enterprise Open Source 2022 report, which included data from surveys of nearly 1,300 IT decision-makers at medium to large enterprises worldwide. And, according to Red Hat, one surprising finding involved how secure enterprise IT professionals think enterprise open source software can be.
While the company has witnessed the ascendance of security as an important enterprise open source benefit, this year, 89 percent of IT leaders said enterprise open source is at least as secure as proprietary software.
According to Red Hat:
This is a big change from not all that long ago. It used to be that quite a few potential buyers figured that being able to see the source code inherently decreased code security in the same manner as being able to see the schematics of a physical security system.
The improved perceptions of enterprise open source security are something that we’ve been tracking in surveys, focus groups, and in customer conversations for a number of years though. So the continued high opinion of enterprise open source security this year didn’t come as a surprise.
What was less obvious were the reasons why our respondents thought enterprise open source is such a benefit with respect to security.
The obvious historical answer to this question would have been that there are many eyes on the code. The problem with this answer has always been that there sometimes aren’t many eyes and what eyes there are may not be skilled ones backed by rigorous processes. In a way, this is the counterpoint to the “but the bad guys can see the source code” argument against open source being adequately secure.
It’s a naive dichotomy that once defined the mostly surface-level open source security debate. We perhaps assumed it was still in force more than it apparently is—at least among the IT leaders at mostly larger firms who we surveyed.
But “many eyes” is now further down the list of reasons why security is a benefit of enterprise open source. Respondents also indicated the ability to audit the code themselves was even less important.
Instead, 55 percent said the top reason is that their teams, “…can use well-tested open source code for our in-house applications.” Furthermore, in spite of the attention that software supply chain security is starting to receive, IT leaders still say that the ability to use enterprise open source internally—as most companies doing application development do—is still a big net benefit.
Other leading reasons are similar to what you’d probably see with any enterprise software: Promptly-delivered, well-documented, and scannable security patches for example.
Our takeaway from these surprising (but maybe they shouldn’t be) results? Enterprise open source is increasingly seen as having many of the same positive attributes as proprietary software while also delivering on the benefits that come from the flexibility of open source licensing and the open source development model.