Open Source Software – Current Trends and Developments

The study at a glance

Open Source Software – OSS for short – is now state of the art in the German economy: two-thirds of large companies with more than 2,000 employees have formally or informally designated a responsibility for Open Source. In public administration, 30 per cent of respondents could (in-)formally name a responsibility for OSS.

Participation in the (further) development of Open Source remains at a high level. Every second company with more than 100 employees stated that they participate in the development of Open Source Software. A particularly high increase can be seen in public administration: While 46 per cent of respondents said they were involved in development of OSS in 2021, 60 per cent were already active in further development in 2023.

The demand for security in OSS is increasing

A professional Open Source Management System is essential today to meet the growing demands for secure and resilient technology use in German companies and public authorities. While many organisations have already implemented adequate governance structures for compliance, there is still significant room for improvement in the area of security.

The professionalism of the use of Open Source is continuously increasing, e.g. in terms of transparency, compliance and security. This development is significantly influenced by the publication of standards such as ISO 5230 or ISO 18974 – the new standard for Open Source security – as well as by industry-specific or national requirements such as DORA (Digital Operational Resilience Act) or the Cyber Resilience Act (CRA), which is currently being developed. More than half (56 per cent) of the large companies see themselves strongly affected by the impact of the upcoming Cyber Resilience Act in the future. In the public sector, the figure is as high as 67 per cent. An effective Open Source Management System is therefore not only a recommendation, but a necessity to minimise security risks in today's digital landscape and to establish conformity with the growing regulatory requirements.

Security gaps – for example due to outdated components, missing identification and response mechanisms, unclear provenance or non-transparent dependencies – can lead to exclusion in procurement processes, loss of reputation or massive legal and financial consequences in the B2B environment.

Particularly serious in this context is the fact that only about one third of the companies surveyed use analysis tools to check their Open Source Software for vulnerabilities. 40 per cent of the respondents only carry out manual checks. Another third of respondents rely on information from the respective commercial providers of the OSS components they use for OSS security. Particularly in view of the increasing regulatory requirements for the resilience of IT and the desired promotion of digital sovereignty, especially in the public sector, there is an urgent need for optimisation here. Looking at public administration, only 28 per cent currently have their own tool for analysing vulnerabilities in the Open Source Software they use.

In this context, the soon to be published ISO 18974 on Open Source Security offers valuable assistance and standardises the necessary framework for the implementation of an Open Source Security Management System. It will therefore be interesting to see how the study results on Open Source security develop over the next few years once ISO 18974 is established on the market.

SBOMs increase transparency and security in the software supply chain

The creation of high-quality SBOMs (Software Bill of Materials) is now a technological standard and an essential tool for ensuring transparency and security within the software supply chain. The current study results underline the growing importance of SBOMs in the German market. According to the study, 45 per cent of the large companies surveyed (with more than 2,000 employees) state that they already provide SBOMs for their products. However, the study cannot provide any information on the quality and completeness as well as the degree of standardisation of SBOMs.

Positive trend to be seen in compliance structures

The 2021 study report notes an improvement compared to 2019, but still a significant need to catch up in terms of strategies, processes and compliance when dealing with Open Source. And indeed, a lot has happened since then: while in 2019 only just over 20 per cent of the companies surveyed with more than 100 employees had an Open Source strategy, by 2021 this figure had risen to 32 per cent. However, with 35 per cent in 2023, this positive trend is continuing rather slowly. However, if we look at larger companies with more than 2,000 employees, about one in two now has its own OSS strategy.

The proportion of companies that have a compliance policy for Open Source has risen steadily since 2019. In 2019, only about 17 per cent had such a policy. While in 2021 it was already 27 per cent, in 2023 32 per cent of the respondents had an Open Source policy in place.

OpenChain ISO 5230

The Linux Foundation's OpenChain standard has been available since December 2020 as ISO Standard 5230 and is of central importance for managing compliance when dealing with Open Source solutions. It enables companies to reduce the risks of compliance with OSS licences in the supply chain. More than half of the companies that use Open Source are aware of the standard.

At the same time, many of the respondents state that there is still a need for more in-depth knowledge on this topic. It is mainly larger companies with more than 2,000 employees that are currently working on the implementation of ISO 5230 or have already completed it.

This is not surprising, finds PwC expert Marcel Scholze. After all, the standardisation and certification of specific compliance programmes often starts at the most critical point in the supply chain where risks materialise – the OEM, says the expert. However, since compliance in the supply chain requires a joint effort, it is important that penetration also takes place throughout the supply chain.

The PwC team supports

PwC's Open Source Software Management team provides comprehensive support to companies and public authorities on the subject of Open Source Software: from strategy and the enablement of Open Source Software, the establishment of OSPOs and compliance or security processes, including tooling as well as the certification of OSS management in accordance with ISO 5230 and ISO 18974, all the way through to managed services such as code scanning, SBOM creation, supplier compliance audits and training of employees.