Open source has come a long way. Recently I was watching a keynote address by our founder, Mark Shuttleworth, in which he discussed his vision for Ubuntu to provide quality support and security maintenance across the broad open source ecosystem, and it made me reflect on how far the open source software (OSS) community has come. Indeed, when looking at today’s interoperable open source landscape, the fragmented, disconnected landscape of the past seems like another planet.
But where is open source going next? What’s in store for open source in the coming years, particularly in relation to security? Here’s my reflection on the state of open source, and the trends that I expect to have an impact going into 2026.
class=”wp-block-heading”>So, what is the state of open source in 2025?
Open source has become a ubiquitous part of software development – just look at the numbers. The average app today contains three times as many open source files as it did just four years ago, to the point where 97% of all applications contain OSS. At the same time, research commissioned by Canonical and IDC revealed that seven out of ten organizations consider open source to be “extremely important” for running their mission-critical workloads. In fact, a Harvard study found that if OSS didn’t exist, the global expenditure on software would be 3.5 times higher.
Put simply, the modern software landscape and market depends upon open source. Open source is popular because it is transformative for businesses, blending cost-effectiveness with access to sophisticated software. For instance, one company reduced their cloud total cost of ownership (TCO) by 76% – saving approximately $370,000 – simply by transitioning to open source cloud infrastructure from Canonical. Previously unthinkable deployments, such as carrier-grade private 5G mobile networks, are now entirely achievable with open source tools, as we demonstrated last year in the Netherlands.
It’s astonishing to think that just 20 years ago, most software companies explicitly forbid the use of any OSS in their contracts and terms of service. Open standards and interoperability – now synonymous with open source – were far from mainstream, and as a result, companies were forced into an uncomfortable decision: use the one expensive product that works, or spend months building and integrating everything from scratch.
That’s a lot of change in just 20 years: an entire ecosystem turned on its head. That’s why I think it’s important to pay critical attention to what’s going around us, to spot trends that could be just as revolutionary (or disastrous), and work around them so that we can keep growing in the next 20 years.
Now that I’ve covered the current state of play, let’s dive into the potential tech revolutions – or challenges – in-waiting.
Future open source cybersecurity trends and their impact on cybersecurity
Open source adoption will continue its strong rise
The decision to move away from the constraints of proprietary systems is grounded in promise: as research by Canonical and IDC shows, businesses everywhere are using open source to keep down costs, fully own their infrastructure, and open up their systems to innovation. Ensuring that this promise is reflected in reality requires a proactive, forward-thinking approach.
Your ability to adopt and adapt to the latest innovations in open source software will be vital. Two things are needed:
- A clear plan for adopting open source
- A way to manage this open source software supply chain post-adoption
Without a clear plan, you don’t know where you’re going; and without a management system, you’ll be recreating the difficult, fragmented environment open source was 20 years ago. However, I believe that the ever wider adoption of open source will lead to interoperability and simplified supply chains becoming the norm in the software landscape – essentially, that open source software will reshape the software landscape in line with its values. People want open source software that’s quick to install, easy to learn and use, and effortless to deploy and manage. If you’re looking for a place to begin exploring how you can approach adopting open source into your project or organization, I highly recommend visiting our new dedicated webpage to helping you do exactly that.
A new age of digital sovereignty
The tumultuous geopolitical and cyberthreat landscape of 2025 has sparked a new movement towards independence and ownership in mainstream circles. Long story short, companies don’t want to be left in the cold and dark if something happens with their overseas software or services provider – with the appeal of open source software being the control and freedom it offers to users.
Most notably, we’ve seen a major increase in interest, from businesses and governments, in open source, and repatriated products and infrastructure. For example, communal, municipal, and government authorities in nations like Germany and Denmark have expressed strong interest in moving away from proprietary systems in favour of open source alternatives.
This doesn’t mean proprietary tools will vanish. But it does mean that the pressure will increase on software providers to give peace of mind to end users and consumers that whatever system they use will remain online and functioning – even if new terms of service, sanctions, politics, or laws present unforeseen hurdles. Product features will still be important, but things like documentation, interoperability, system-agnostic design, training for users and system admins, and clear handover processes will be a new ‘normal’ in software offerings.
Organizations must balance complexity with visibility
The developer landscape in 2025 has no shortage of tools, libraries, and solutions. If you want to build an app or service, you could build it from scratch, get portions of the solution from open source, or use already-built solutions. The challenge today is creating systems that give you a full view of these tools, and which allow them to be used securely and sustainably in the long term, without major costs.
Security is hard. There is no one-size-fits-all solution, which introduces the challenge of complexity. Developers have a lot of shiny toys to choose from, and keeping them all securely managed within a usable, minimally complex environment will be a real challenge. Indeed, securing your ever-growing stack won’t be easy. All this new tech doesn’t just mean maximized performance and efficiency: it also means a bigger attack surface and new attack vectors born of the intricate interdependencies between systems.
This is made harder by wider organizational habits. Canonical and IDC’s research shows that in general, organizations prize stability over constant updates: over 50% do not automatically upgrade to the newest versions of software when available. Instead, they wait until new features are needed or the program of free updates stops. They also draw these updates from various places: 57% draw from upstream source repositories, such as Github or Gitlab, and 51% draw from ecosystem packages, like pip or npm.
This approach presents clear problems: if you draw packages from multiple different sources and only apply them when you’re forced to update, it leads to more manual work and less certainty that you’re meeting increasingly strict cybersecurity standards in today’s market.
Organizations still have some work to do in order to meet the challenge of complexity. Our research with IDC shows that 70% of organizations mandate vulnerability patching within 24 hours of identification for “high” and “critical” container vulnerabilities – however, just 41% of respondents are “very confident” or “completely confident” in their organization’s ability to execute this policy.
Remember that innovation isn’t just driven by “the good guys”: bad actors are also working to develop new attack methods and techniques, as AI becomes increasingly powerful and AI tools become more connected and widespread.
… especially as we enter the post vibe-coding era
We’ve all heard about and read about vibe coding, which is when a software engineer uses AI to generate and debug code. The hype wave of AI has led to fast adoption of generative AI tools as incredible productivity magnifiers. While the allure of faster go-to-market times and improved cost-effectiveness is undeniable, the widespread adoption of AI tools in primary codebases, especially in environments with busy developers stretching across multiple projects, is creating significant security issues. The rapid, often less scrutinized generation of code through these tools can introduce vulnerabilities and amplify existing security challenges in complex software supply chains.
In the next few years, I predict the rise of a new category of cyberincidents stemming from vibecoded feature additions. Organizations everywhere will need a clear policy on use of these tools, and robust checks and quality assurance processes to ensure that the vibecoded additions don’t ignore instructions, or hallucinate package names and inadvertently execute malicious code inside production environments.
Regulation is coming, and making things harder
We’ve seen a wave of regulation sweep across the US, EU, and UK in the last 4 years. As open source is adopted at the biggest levels of software, it will inherit the steep, strict demands that come with operating in a prestigious global playing field.
Our research with IDC gives a clearer view into the challenges and frustrations that organizations are experiencing with regulations and compliance:
- 37% of organizations are struggling to understand how regulations apply to specific systems, technologies, and software components.
- 34% are battling with how to enforce compliance standards across software systems in a consistent manner.
- 29% find it hard to source the resources and expertise needed to centrally manage software compliance.
As more regulation is rolled out and tightened up, these challenges will only become harder. Simply hitting the check box of compliance or hardening needed for enterprise eligibility isn’t the point any more – security teams have their work cut out in establishing a clear, transparent track record of your software’s trust lifecycle, and embed this transparency into your development practices.
This means more work for people like me whose job it is to keep open source robust and trusted. But it’s undeniably the right path. After all, we don’t just want solutions that work – we want solutions that reflect, support, and continue the legacy of openness and contribution that allowed them to exist in the first place. And we want Canonical to be a leader in transparency and accountability, and institute practices that demonstrate the trustworthiness and compliance-readiness of our software and services. We recently published our Trust Center – a web portal with all our certifications and compliance efforts – in order to demonstrate that when it comes to that hard work of regulations, we’re doing it right.
Wrapping up
In short: the future will be characterized by even more adoption of open source, increased regulation, a surge in AI-driven attack vectors, and a critical need for organizations to implement robust security policies and practices. Businesses must prioritize security without compromising stability, manage their open source supply chains effectively, and adapt to a landscape where transparency and compliance are paramount.
This means that I’ve got a lot of work ahead of me. But as we move into this new phase of open source I’m excited: open source has never been more exhilarating. The openness we spent decades building has created a truly remarkable landscape of interoperability, where you can combine and integrate almost any technology into a functioning model. I’ve seen first hand how open source has changed everything in the software landscape, and I know how much more revolutionary it could be in the coming years. There’s no other job I’d rather have.
References
- Black Duck, 2025 “Open Source Security and Risk Analysis 2025. Accessed at: https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html
- Hoffmann, Manuel, Frank Nagle, and Yanuo Zhou. “The Value of Open Source Software.” Harvard Business School Working Paper, No. 24-038, January 2024.
- The state of software supply chains: Security challenges, opportunities and the path to resilience with open source software
- https://ubuntu.com/blog/telco-bringing-automation-to-open-source-5g-software-at-ubuntu-summit-2024
More reading
- What is Application Security (AppSec)?
- A CISO’s guide to Application Security best practices
- Extra Factor Authentication: how to create zero trust IAM with third-party IdPs
- The Cyber Resilience Act: What it means for open source
Resources
Whitepaper: a guide to global IoT compliance
Whitepaper: a guide to open source vulnerability management
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.
