Open source software is ubiquitous. Nearly every company is running some. Many organizations are not even aware of it – or at least weren’t until the Heartbleed vulnerability. Then they discovered what many firms already know: there is open source running in your company, and it’s an integral part of your operations.

Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, as I have done the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I am just one developer voice among thousands. But I have also benefitted from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on this shared data.

So when Sonatype, the organization that conducts this survey, asked me to perform an independent analysis of the data, I jumped at the chance. I wanted to give back to the community, and perhaps share a unique perspective on what the survey results mean and how open source development is dealing with security-related issues. This research paper is the result of that work.

I was given the raw data prior to the official release of the report, and a few questions immediately jumped out:

  • Are developers worried about security?
  • Do they have security policies?
  • How did Heartbleed affect the survey results?
  • Is open source more trustworthy than commercial software?
  • How and when are components banned?

I discuss these topics and more in the paper.

Survey ToC

You can find the official survey results at

And our research paper is available for download, free as always: 2014 Open Source Development and Application Security Survey Analysis

Thank you to Sonatype – both for giving us access to the data and for licensing this research to accompany their results!