Ishani Ghoshal
                
                
              
              on 27 March 2025
            
Open source enterprise application security remains a challenge despite greater patching efforts, IDC research reveals
The latest report from the International Data Corporation (IDC) co-sponsored by Canonical and Google Cloud indicates that 36% of organizations adopt open source to improve development velocity, and 7 in 10 organizations see open source as extremely important to run mission critical workloads. However as open source adoption grows, organizations face increasing difficulty in securing and maintaining their software supply chains. These challenges are compounded by the complexity of modern cloud environments, skill gaps and stringent compliance requirements.
The report features insights from 500 participants across the Americas, APAC, Europe, and Middle East, primarily in IT Manager and IT Security Manager/Director roles. The respondents were surveyed on open source security. The report explores how businesses can build resilience by reducing maintenance complexity and automating vulnerability management. In this blog, we will explore key takeaways from the report and how they relate to enterprise application security, offering possible solutions.
Drivers for open source adoption

Affordability, customizability, innovation, and security drive organizations to adopt open source.
Affordability – 44% of respondents claimed that using open source helps reduce their costs. Use of open source can reduce or eliminate licensing and support fees associated with proprietary software.
Customizability – Open source also allows organizations to modify and adapt the code to fit their specific needs, with 35% of participants recommending open source for customizability.
Development Velocity – With a global community contributing improvements, security patches, and optimizations, organizations can adopt cutting-edge technologies faster.
Improving security – Open source is more transparent than proprietary software, which is why 31% of organizations in the report see it as a means to improve security. As Linus’s famous law explains, the more eyeballs you have on something, the more likely it is you’ll be able to spot flaws and security issues as well as collaborate on fixes.
However, open source is naturally fragmented, and as a result, organizations consume it from a variety of projects and their dependencies, which come from many different sources. This fragmentation can compound enterprise security challenges, especially as the software stack complexity increases. Without the right auditing tools and governance framework, these challenges are difficult to tackle.
Enterprise challenges with application security
Vulnerability and patching
Vulnerability and patch management has been cited as the number one challenge for software supply chains. 7 in 10 responsible teams spend more than 6 hours per week, on average, on security patching. However the investment is not paying dividends, with only 23% of teams being satisfied or mostly satisfied with their ability to fix vulnerabilities.
Additionally, applications are often packaged with their dependencies in containers, to help ensure consistency across different environments –  like development, testing, production, etc. Organizations can use containers for their microservices architecture, cloud-native applications, or DevOps workflows. However, the dynamic and intricate nature of containers can also create security challenges in the software supply chain. Managing container security requires continuous monitoring, timely patching, and strict enforcement of best practices and regulations. Around 70% of organizations mandate vulnerability patching for containers within 24 hours of identification, but only 41% are confident in their ability to execute on this policy. Many organizations struggle with limited automation, fragmented tooling, and the sheer volume of security updates required to keep systems protected. Delays in patching leave critical applications exposed to potential exploits, increasing security risks and compliance challenges. 
Compliance burdens
Speaking of compliance, 37% of organizations lack an understanding of how compliance regulations apply to their systems, technologies, and software components. Regulations like FedRAMP, GDPR, and HIPAA create additional complexity for enterprises. Without a clear compliance strategy, businesses risk regulatory fines, security vulnerabilities, and operational inefficiencies.
Skills shortages
40% of organizations cited a skills shortage as the reason why they lack confidence in securing their environments. As security threats get more complicated, many enterprises struggle to find and retain talent with the expertise needed to manage vulnerabilities, apply fixes, and ensure compliance with regulations.
Risk mitigation
To mitigate these risks, 9 out of 10 organizations would prefer sourcing software packages from their OS repositories.

In practice, however, many pull software from unverified and potentially unmaintained third-party sources – introducing additional security and dependency risks. The lack of a centralized approach to software sourcing increases exposure to supply chain attacks, outdated packages, and inconsistencies in security maintenance.
Without proper controls, organizations risk integrating vulnerable components into their environments, making it difficult to ensure the integrity and security of their software stacks.
Tackling enterprise application security challenges the Ubuntu way
At Canonical, we have spent over 20 years maintaining open source. We understand these challenges and have developed a security maintenance offering around Ubuntu to alleviate these burdens for organizations: Ubuntu Pro.
Ubuntu Pro is a comprehensive subscription that covers security for both the Operating System (OS) as well as thousands of packages in Ubuntu’s repositories, many of which are commonly used for software development, such as Python, Java, PHP and others.
Organizations that develop on Ubuntu can do so with confidence, knowing the OS and the packages offered in Ubuntu are maintained for 10 years (or up to 12 with the Legacy Support add-on). Because we backport the fixes to previous versions of Ubuntu, organizations benefit from stability and fewer headaches when managing dependencies and issues resulting from forced upgrades.
Ubuntu Pro also covers security maintenance for both infrastructure and applications in Canonical’s open source portfolio. This includes OpenStack, Ceph Storage, the Kubernetes offering, and data solutions like Kafka and Postgres, meaning both the underlying infrastructure and applications are maintained.
In addition to security maintenance, Ubuntu Pro offers automated patching, hardening and compliance profiles. By ensuring that critical vulnerabilities are addressed quickly and that software dependencies come from vetted sources, Ubuntu Pro helps businesses reduce their operational risk and enhance application security. Our goal is to make security maintenance easy, just like we made Linux easy to use.
To get a summary of how Ubuntu Pro can help you address application security challenges, check out the table below.
| Challenge | Ubuntu Pro solution | 
| Vulnerability management | – Security maintenance for the OS and 36,000+ open source packages, including Python, Php, Ruby, OpenJDK and others – Fast remediation for CVEs | 
| Patching automation | – Livepatch for kernel patching while the system runs – Landscape to automate patching across your estate | 
| Compliance | – FIPS-certified cryptography – CIS hardening – Common Criteria – Compliance reporting via Landscape | 
| Skills shortage | – 12-year of  security maintenance from Canonical experts – 24/7 enterprise support with Ubuntu Pro + Support – SLA-backed response times | 


