Building an open source chain of trust: new research uncovers key blockers

crashpn1 pts0 comments

Building an open source chain of trust: new research uncovers key blockers and ways forward | Canonical

it injects into<br>its shadow DOM is allowed by our nonce-based style-src directive.<br>Must run before the deferred lite-youtube module upgrades the<br>element.<br>-->

Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!

In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

An error occurred while submitting your form.<br>Please try again or<br>file a bug report.

Close

Blog

Article

Newsletter signup

Get the latest Canonical news and updates in your inbox.

Work email:

&ast;I agree to receive information about Canonical's<br>products and services.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Sign up

Canonical is pleased to share its latest research report, “The open source chain of trust.” Based on a survey of 500 DevOps professionals, the report highlights how organizations approach their open source software supply chains. While many companies are moving toward verifiable provenance and automated security workflows, internal misalignment and disjointed approaches remain serious challenges for most teams.

Read the report

Open source is the fabric of modern IT, but management remains fragmented

Open source powers development toolchains and underpins cloud-native platforms. It runs across on-prem, cloud, and edge environments. While organizations formalize policies and adopt security tools, many rely on fragmented processes with significant visibility gaps in CI/CD process between development and production stages. This research shows that 90% of respondents believe their organization needs to improve cross-team collaboration regarding open source software.

Figure 1: overview of key findings from the research

Organizations often stitch together components from many sources using inconsistent methods and misaligned upgrade cadences. Security teams struggle to manage transitive dependencies in this environment. Meanwhile, operations teams face constant trade-offs between stability and necessary changes.

“Open source is a critical foundation of the enterprise, but managing the dependency sprawl can be an operational and security challenge. On top of these existing supply chain challenges, the cadence of software development is accelerating. Consequently, it is increasingly crucial for organizations to bring automation and cross-team collaboration into their SDLC governance.”

– Rachel Stephens, Research Director at RedMonk

Key findings from the research

The report identifies operational challenges and highlights how internal misalignment impacts software supply chains:

Cross-team tensions stall progress: 71% of respondents report tensions between DevOps and platform engineering teams regarding the scalable use of open source.

Manual processes hinder maturity: 35% of organizations still rely on manual code reviews for security. Another 21% use manual methods to track vulnerabilities.

Operational risk drives patching delays: Primary causes for delays include system compatibility concerns (53%) and resource constraints like staff shortages (43%).

Figure 2: Most common causes of delays in organizations’ ability to patch vulnerabilities, top 3 combined answers.

Mitigating gaps through a trusted foundation

The research highlights a clear path toward more predictable and secure operations:

Rely on the operating system as a strategic control plane: 98% of respondents describe the OS as extremely or very important for detecting and applying updates to open source components, suggesting it can serve as a central layer to govern supply chain hygiene.

Establish verifiable provenance: 48% of respondents state that tracked packages would improve their confidence in software supply chain security.

Strengthening collaboration: Choosing the right platform as a foundation brings consistent governance and strengthens the working relationship between DevOps, security, and operations.

Discover all the insights from the research

“This new research highlights that scaling open source innovation requires organizations to move beyond fragmented workflows to adopt a stable foundation that can help fast-track security and compliance. At Canonical, we help our customers achieve exactly this by simplifying vulnerability management and providing a single, verifiable stack with trusted end-to-end provenance.”

– Lech Sandecki, Product Manager at Canonical

Trusted open source with Canonical

Maturing processes and improving internal alignment are critical for addressing security concerns. Through Ubuntu Pro, Canonical delivers consistent security maintenance for the operating system and thousands of upstream open source packages.

By streamlining vulnerability...

open source research canonical security organizations

Related Articles