2012 sonatype-survey-findings-pdf-1

Transforming Software Development


Who Did We Talk To?

3% IT Operations

6% Manager, Director, or Executive

5% Build Manager

22% Architect

13% Team Lead/Project Manager

52% Software Developer/Engineer

Role Within the Organization

2012 Sonatype survey of 2,550 developers, architects, and managers


A variety of organizations were represented

17% Financial Services

33% Tech & ISV

12% Consulting

6% Telecommunications

2% Manufactoring

5% Media & Entertainment

7% Goverment & Military

18% Other

Organizations Surveyed



Organizations large and small participated

24%

19%

23%

34%

501+

101-500

26-100

1-25

Number of Developers in the Organization



OS development infrastructure is quickly becoming the standard

We’re standardizing on an open source development infrastructure stack

49% 2011

52% 2012We only use open source infrastructure if it’s commercially supported

7%

10%

2011

2012

2011

2012

2011

2012

It’s not our corporate standard, but tons of people use it

27%

27%

A few of our developers use it, but it’s not widely adopted

17%

11%

Does your organization use open source development infrastructure?



Most of you use a repository manager, here’s why

Why do you use a repository manager?

64%Improve build time

35%To enforce

standards for component

usage

32%Better

visibility intocomponent

usage

67%To managecomponent

usage



Visibility and control is even more important for large organizations

Why do you use a repository manager?

64%Improve build time

41%To enforce

standards for component

usage

34%Better

visibility intocomponent

usage

75%To managecomponent

usage

Organizations with over 500 developers



2/3 of organization contribute to open source projects

We strictly consume open source 34%We use open source and contribute directly back to projects45%We use open source and contributeback via a third party12%We contribute to open source projects even though our company’spolicies prohibit it

9%

Open Source in Organizations


45%

34%12%

9%


You told us that Java OS components are the most important to you

4%

Perl5.

4%

Python4.

14%

C / C++3.

15%

.NET2.86%

Java1.

How important are the following types of open source components to your organization?Percentage reporting critical, pretty important, or medium, but getting more important



Web searches are the most common way of finding components

Must adhere to corporate standards

35%

70%

Search the web for artifacts that meet our needs

35%

Use master repository search tools (eg. Central Repository Search)

42%

Rely on the advice of my colleagues

How do you find artifacts for your projects?



The Central Repository is the most popular source of components

1.87 of 527%

GitHub5.

2.13 of 539%

Atlassian4.

2.22 of 543%

JBoss3.

2.44 of 551%

Project Sites2.

3.17 of 578%

Central Repository1.

What sources of open source components are most important to your development e!orts?Percentage reporting critical or important



Here’s what you said matters about the component you use

Security Code Quality Project Maturity Licensing

32%19%

51%

25%28%

51%

18% 25%

34%

27%

39%

22%

Mission critical Extremely important Somewhat important Minor concern Not a concern at all

For the components you use in your applications, howimportant are these attributes?



Only half of you have an open source policy

Does your organization have an open source policy?


51% No

49% Yes


You told us, most of your organizations lack control over OS usage

We’re completely locked down. We can only use approved components.20%We have some corporate standards, but they aren’t enforced.43%There are no standards. Each developerteam choose the components that arebest for their project.

37%

Control of artifacts in development



Interestingly, enforcement seems to be on the rise

13% in 201120%

45% in 201137%

42% in 201143%

We’re completely locked down. We can only use approved components.

We have some corporate standards, but they aren’t enforced.

There are no standards, each development team chooses their own components.

Control of Artifacts in Development

2011/2012 Sonatype surveys of developers, architects, and managers(2011 n=1,600; 2012 n=2,550)


Regulated industries are more likely to be locked down

31%

18%

13%

25%21%

12%

19% 19%

Financial Services

Tech/ISV

Consulting

Telecomm

unications

Manufacturing

Media & Entertainm

ent

Govt & Military

Other

Control of Artifacts by SectorWe are completely locked down. We can only use approved components.



Only 23% of you need approval before using OS components

51% Do not have a policy26% Have a policy 23% Must have approval before using any open source components

Does your organization have an open source policy?



For those of you with policies...more than half of you hate them


Lots of groups are responsible for open source policy

Who is responsible for Open Source Governance?


Development Teams

16%

6%

7%

28%15%

12%

18%

Legal

Security

Risk and Compliance

Application Development Management

IT Operations

OSS/FOSS Committee/Department


Does your open source policy restrict component usage based on specific licenses?


Yes and we examine every component and *all* of its dependencies

Yes and we examine every component but *not* its dependencies

51% 25%

No, our policy does not restrict component usage based on licensing

24%

Over 3/4 of organizations restrict component usage based on specific licenses


Policy restricting component usage based on specific licenses

Policy restricting component usage based on specific licenses:

Yes and we examine every component and *all* of its dependencies

Yes and we examine every component but *not* its dependencies

No, our policy does not restrict component usage based on licensing


51%

25%

24%

have no e!ectivelicensing policy49%


48% No

32% Yes, for all components including dependencies

20% Yes, for all components but NOT their dependencies

Does your organization maintain an inventory of open source components used in production applications?



It’s difficult to know when components & dependencies are updated

No good way to find out

When a component is updated, how do you know?


74%

40%30%

20%

66%By searching the web

Keeping up with project sites

From colleagues

Word of mouth


Thank you!

2012 sonatype-survey-findings-pdf-1

Technology

development efforts

software developerengineer

os development infrastructure

github2012 sonatype

it2012 sonatype survey

open source infrastructure

open source policydoes

repository manager