Survey: Open-Source Security Challenges Persist

Emilie Lewis

In Anaconda’s 2023 State of Data Science survey, we sought to understand better how open-source security (OSS) is used, how IT teams manage security, and how confident IT workers feel in their ability to identify and resolve vulnerabilities. Here’s a summary of what we learned about this topic in our survey, with 2,414 data practitioners, IT managers, college/university professors, and students responding across 126 countries. The majority of respondents (53%) were data practitioners, and 21% were IT professionals.

Open-Source Software and Security

The majority of respondents work for a company that uses OSS, and securing the software supply chain remains difficult. However, organizations are steadily increasing their focus on open-source security.

In our 2020 State of Data Science survey, 30% said their organizations used OSS but didn’t have a mechanism in place to ensure security. In 2021, 25% reported their organizations lacked a security mechanism, and in 2022, just under 20% lacked security. In this year’s survey, only 13% of respondents weren’t securing their OSS supply chain.

Security awareness and action on vulnerabilities seems to be improving. In this year’s survey, 54% of respondents were aware of the National Institute of Standards and Technology’s AI Risk Management Framework, released in January. Of those working with a U.S.-based company, 50% report their organizations have added security protocols because of the framework.

IT Admins Lack Confidence in Security Remediation

While open-source software is in use across most organizations, IT and security teams struggle with vulnerability remediation. Just 18% of IT administrators reported they feel confident in their abilities to identify and remediate vulnerabilities associated with OSS.

Many IT workers cite manual checks as the go-to form of security, and of those, 80% report they or their teams spend 25-50% of their time on these checks. A close second for respondents are managed repositories like Anaconda.

At a time when more and more organizations are applying AI and data science to innovate everything from operations to products and services, it’s clear there’s a gap between IT’s ability to remediate risks and data practitioners’ desire to tap into the best open source repositories, packages, and libraries.

Need for Expanded Education About Open-Source Security

Few college and university professors (16%) identify OSS security as a frequent topic of discussion in class, with 34% saying they rarely or never discuss security. The discrepancy between employee security concerns and academic focus may indicate the need for expanded educational opportunities about OSS security.

Of the students who responded to the survey, 32% frequently or often discuss security in their courses, whereas 17% have never discussed security at all. The discrepancy between employee security concerns and academic focus may indicate the need for further study with more actionable insights into OSS security training and upskilling. 

With nearly half of IT work focused on manual checks for necessary OSS, adding a managed repository like Anaconda can automate the process of identifying vulnerabilities and combing through packages and libraries, as well as decrease the risk of human error. Some companies have turned to a combination of proprietary software and OSS to help secure their data pipeline but many have cited executive or IT resistance to OSS as a main blocker for innovation. 

Learn more by reading our 2023 State of Data Science report.

Download the Report

Talk to an Expert

Talk to one of our experts to find solutions for your AI journey.

Talk to an Expert