Key takeaways
- Most organizations consuming open source software at scale have security tooling in place. What they’re missing is governance that can keep pace with how that open source actually enters their environment.
- AI coding assistants have introduced a dependency intake channel that most OSS governance programs don’t yet account for, which means a fast-growing share of what enters your environment is ungoverned by default.
- The regulatory environment has changed the personal stakes for security leaders. Documented, automated due diligence is now the standard.
- Curated open source catalog models govern what enters your environment at the point of consumption, before it reaches a developer’s machine. This is the only governance structure capable of keeping pace with current dependency volume.
Open source software powers 98% of enterprise applications. For most organizations, that number has become background noise and a fact so familiar it no longer registers as a risk. Frankly, that’s exactly the problem.
ActiveState commissioned an Analyst Brief with IDC Research Manager Katie Norton, whose research cites statistics that open source consumption now spans more than 20 programming languages, 30 distinct package managers, and nearly 10 trillion downloads in 2025. This scale has outpaced the governance programs most organizations have in place to manage it. The findings, published in a new IDC Analyst Brief, sponsored by ActiveState, don’t leave much room for optimism about the status quo, but they do point to a governance model that works.
Here you’ll find the key problem and solution identified in the full IDC Analyst Brief.
Access the full IDC Analyst Brief here.
The Problem: Consumption Complexity Has Outpaced Governance
The root cause of most open source software security failures isn’t an absence of tooling, but rather it’s that the scale and diversity of how open source software is consumed has outpaced the programs built to govern it.
The dependency footprint of a modern development organization is genuinely difficult to inventory, let alone govern. With the volume of open source being consumed today, it has made reactive security programs structurally inadequate for managing it.
AI coding assistants have compounded this further by adding a dependency intake channel that operates at machine speed, largely outside the visibility of existing governance programs. The IDC Analyst Brief documents what that means for your attack surface in practice, including an emerging threat vector most scanning postures aren’t positioned to catch.
And the regulatory environment has made the consequences personal. Between the EU Cyber Resilience Act’s reporting requirements beginning September 2026 and SEC oversight obligations already in effect in the United States, the standard isn’t whether you had security tooling. It’s whether you had a reasonably designed program with documented controls and an audit trail. “We had a scanner” doesn’t meet that bar.
The Solution: A Curated Open Source Catalog
This IDC Analyst Brief identifies the curated open source catalog as a governance structure capable of addressing this problem at its source, rather than after the fact.
Unlike artifact repositories, which store and distribute packages without vetting them, a curated catalog evaluates, builds, and maintains components against defined security, licensing, and provenance policies before they’re available to developers. Governance is embedded in the default intake path, including for AI coding assistants, which draw from policy-governed sources rather than public registries.
The IDC Analyst Brief covers what separates vendors that deliver on this model from those that don’t, and the specific variables worth interrogating in any evaluation.
Download the IDC Analyst Brief: Securing Open Source at Scale
Frequently Asked Questions
An artifact repository stores and distributes packages without inherently vetting or rebuilding them. A curated catalog evaluates, builds, and maintains open source components against defined security, licensing, and provenance policies before consumption. The distinction: an artifact repository gives you distribution. A curated catalog gives you governance at the point of ingestion.
Software Composition Analysis (SCA) tools find vulnerabilities. They don't fix them. Detection without remediation is a backlog that compounds with every sprint. SCA is a necessary part of the stack, but it isn't a governance model on its own.
AI coding assistants introduce a dependency intake channel that most governance programs weren't designed to account for at a volume and speed no manual review process can match. IDC's brief also documents a targeted attack vector specific to AI-generated dependency suggestions that current scanning postures are structurally unlikely to intercept. The details are in the [brief].
The EU Cyber Resilience Act introduces cybersecurity and vulnerability-handling obligations for products with digital elements, with reporting requirements beginning September 2026. Organizations without formalized open source software governance will face compliance gaps and the pressure to build those programs under active regulatory deadlines.
No. Operating system-layer security does not govern language-level dependencies. Effective open source software security requires governance at the component level across multiple delivery formats. Securing the container while leaving application dependencies ungoverned means the risk lives one layer below where your controls stop.
