FIGURE 10 How organizations turn open source policy into practice How does your organization turn open source policy into practice? (check all that apply) Tooling (e.g., license checkers, 52% security scanning) Training and education 45% Evaluates open source before considering other alternatives 42% Manuals, guidelines or checklists 40% Formal review or documentation process 38% Engagement with specialist third parties 36% None of the above 7% 2022 FINOS STATE OF OSS IN FINANCIAL SERVICES SURVEY, Q13, SAMPLE SIZE = 210, VALID CASES = 210, TOTAL MENTIONS = 547 CONSUMING WITH CONFIDENCE from those in managerial roles. Furthermore, the Sonatype FIGURE 11 shows the level of confidence respondents have study demonstrated this to be an overexpression of confi- in the open source components they consume. We find that dence, by revealing that the open source components some 69% of organizations overall are confident (either extremely people are confident in had known vulnerabilities. or somewhat) that the components they consume are main- tained and up to date. This is an increased level of confi- “ We leveraged the demographic data collected during dence compared with last year’s results (where only 19% were the survey and broke down the results by job title. The extremely confident versus 33% this year). findings were illuminating. There is an ongoing bias toward seeing things in a better light, in which managers This high and increasing level of confidence is quite surprising, report higher stages of maturity compared to what is especially considering recent events. We looked at how reported by other roles. Survey-wide, this discrepancy is responses to this question varied between technical and statistically significant when comparing IT managers and 13 FIGURE 11 shows, that 28% in tech- those working in information security roles.” nontechnical roles, and as nical roles are extremely confident (that components they consume are up to date and maintained), compared with 38% Counter to the confidence expressed by survey respondents, in nontechnical roles reporting the same. This finding echoes the interviews we conducted revealed a much more measured a recent report from Sonatype that uncovered a positive bias response. There is an ever-growing awareness of security, THE 2022 STATE OF OPEN SOURCE IN FINANCIAL SERVICES 19