A survey of 712 IT professionals suggests that as organizations rely more on open source software, they are struggling with security updates and patches (39 percent), installations, upgrades, and configurations (30 percent), and technical support (29 percent). Nearly half (47 percent) are spending over three quarters of their time maintaining the open source software that was deployed.
The remaining respondents (49 percent) said their use of the software stayed the same over the same period.
Not surprisingly, the primary reason cited for adopting this software was reduced costs resulting from no licensing fees (62 percent). This is followed by avoiding vendor lock-in (55 percent).
The hidden security and support burden
However, reliance on open source software clearly creates additional support costs that managed service providers (MSPs) can help organizations mitigate. Most applications today contain multiple open source components, which creates a dependency on the maintainers of those projects. The challenge is that not all maintainers have the skills or resources required to develop timely patches. This leaves components vulnerable to cybersecurity attacks against open source software that are becoming far more common.
In response, the Linux Foundation recently announced that a coalition of companies has committed $12.5 million to strengthen open source software security through its Alpha-Omega Project and the Open Source Security Foundation (OpenSSF).
Patch management gaps create opportunity for MSPs
In the grand scheme of things, $12.5 million is a drop in the proverbial bucket given the scope of effort required to properly secure open source software. Arguably, the biggest issue is that even when more secure versions of components are available, many IT teams have not updated the applications they are running.
One reason is concern that updates could break existing applications. However, it is also likely that many teams are simply unaware of their dependency on an open source component that needs updates to prevent a potential cyberattack.
Naturally, maintaining the software creates a significant patch management opportunity for MSPs. This should include discovering open source components and testing updates to ensure they do not disrupt application environments. In theory, application developers should provide these capabilities. The reality, however, is that many organizations continue to run older versions of software lacking updates to address critical vulnerabilities.
Automation helps, but validation still matters
As AI simplifies vulnerability discovery and remediation, patch management will become more automated. MSPs will still be needed to validate that changes work as expected.
Photo: Gorodenkoff / Shutterstock
This post originally appeared on Smarter MSP.