Open Source Software Powers 96% of Modern Applications, New Study Finds

In a landmark study highlighting the pervasive role of free and open source software (FOSS) in today's digital economy, researchers have found that open source components are present in nearly all modern applications, with cloud-specific packages showing dramatic growth and traditional development patterns evolving rapidly.

The Census III of Free and Open Source Software report, released today, was authored by researchers from Harvard Business School and the Laboratory for Innovation Science at Harvard (LISH), in partnership with the Linux Foundation Research and OpenSSF (Open Source Security Foundation). The study builds upon two previous censuses, moving beyond operating system libraries to examine application-level components that form the building blocks of modern software.

The new report analyzed over 12 million observations of FOSS usage across more than 10,000 companies. The Harvard-Linux Foundation research team collaborated with leading software composition analysis (SCA) companies including FOSSA, Snyk, Sonatype, and Synopsis, combining anonymized data from multiple platforms. The analysis included both automated scans of production codebases and thorough human audits of software components, providing insights into both direct usage of FOSS packages and their indirect dependencies throughout the software supply chain.

Related:Are We Approaching the End of Open Source?

Key findings of the census include:

"The biggest surprise finding was the significant increase in the use of OSS libraries to access cloud services," David Wheeler, director of Open Source Supply Chain Security at the OpenSSF, told ITPro Today.

Wheeler noted that while the use of cloud services wasn't new when the previous Census II analysis was done, the rise in Census III is quite dramatic. In his view, it suggests that earlier cloud deployments often took a lift-and-shift approach — simply moving existing software applications to run on a cloud — while now software is increasingly being developed specifically to run on a cloud and to use specific services available on them.

Related:7 Open Source Tools That Benefit IT Operations Teams

The Risk of Single Maintainer Projects Exposed

The report found that 40% of top projects had only one or two developers accounting for more than 80% of contributions. That concentration of maintainers represents a potential security concern.

In 2024, a supply chain attack was discovered that relied on social engineering to maliciously introduce a backdoor into the popular open source package XZ Utils. The attack included launching a pressure campaign on the solitary maintainer of the project to add a second maintainer, who later introduced the backdoor. This incident is used to support one of the report's key findings about the concentration of responsibility in FOSS projects and the security implications of having projects maintained by very small teams.

"Some projects have one or only a few developers, and we'd like to see many developers in widely used projects, since having many developers can act as a check on others," Wheeler said.

Wheeler noted that the attack on XZ Utils also illustrates a challenge that the OpenSSF is working to address: ensuring that the source code that is reviewed is what people are running.

"A great advantage of open source software is that it can be widely reviewed to look for unintentional or intentional vulnerabilities," he said.

That said, Wheeler noted that the review doesn't help if what is reviewed isn't what is used to build the final product. OpenSSF projects like SLSA and Sigstore are working to harden the build and distribution process to help ensure that the code people run is generated from the source code that was reviewed.

Why Python 2 Is Still Being Used, 16 Years After Python 3 Was Released

Another key finding in the report is the prevalence of older coding languages, which represent potential security risks.

Specifically, the report notes that despite being released 16 years ago, Python 3 adoption is still incomplete, with some sectors showing 20-30% Python 2 usage. As to how open source software developers can work to improve that situation, Wheeler has a few ideas.

"The lesson is simple: Make it extremely easy to update to new versions," he said. "In almost all cases, new versions should be completely backward-compatible with older versions — especially the previous version. Ensuring backward compatibility may take extra developer effort, but it's almost always the right approach."