Canonical is pleased to share its latest research report, “The open source chain of trust.” Based on a survey of 500 DevOps professionals, the report highlights how organizations approach their open source software supply chains. While many companies are moving toward verifiable provenance and automated security workflows, internal misalignment and disjointed approaches remain serious challenges for most teams.
Open source powers development toolchains and underpins cloud-native platforms. It runs across on-prem, cloud, and edge environments. While organizations formalize policies and adopt security tools, many rely on fragmented processes with significant visibility gaps in CI/CD process between development and production stages. This research shows that 90% of respondents believe their organization needs to improve cross-team collaboration regarding open source software.
Figure 1: overview of key findings from the research
Organizations often stitch together components from many sources using inconsistent methods and misaligned upgrade cadences. Security teams struggle to manage transitive dependencies in this environment. Meanwhile, operations teams face constant trade-offs between stability and necessary changes.
“Open source is a critical foundation of the enterprise, but managing the dependency sprawl can be an operational and security challenge. On top of these existing supply chain challenges, the cadence of software development is accelerating. Consequently, it is increasingly crucial for organizations to bring automation and cross-team collaboration into their SDLC governance.”
– Rachel Stephens, Research Director at RedMonk
The report identifies operational challenges and highlights how internal misalignment impacts software supply chains:
Figure 2: Most common causes of delays in organizations’ ability to patch vulnerabilities, top 3 combined answers.
The research highlights a clear path toward more predictable and secure operations:
Discover all the insights from the research
“This new research highlights that scaling open source innovation requires organizations to move beyond fragmented workflows to adopt a stable foundation that can help fast-track security and compliance. At Canonical, we help our customers achieve exactly this by simplifying vulnerability management and providing a single, verifiable stack with trusted end-to-end provenance.”
– Lech Sandecki, Product Manager at Canonical
Maturing processes and improving internal alignment are critical for addressing security concerns. Through Ubuntu Pro, Canonical delivers consistent security maintenance for the operating system and thousands of upstream open source packages.
By streamlining vulnerability management and committing to up to 15 years of platform stability through backporting, Canonical helps resolve the inherent tension between rigorous security and operational uptime. This shift moves organizations from a state of fragmented visibility and complex management to one of securely designed architecture, ensuring the open source fabric they depend on remains a source of innovation and not of risk.
The report is based on a global survey of 500 IT professionals conducted by Vanson Bourne. Respondents represent organizations across the Americas, EMEA, and APAC.
Read our latest research into software supply chains. Canonical offers in-depth guides to help you secure open source ecosystems and navigate supply chain complexities.
In the traditional automotive world, teams often work in silos: the cybersecurity experts lock down…
The second development snapshot of Ubuntu 26.10, also known as “Stonking Stingray”, is now available…
Canonical has extended Ubuntu Livepatch support to Arm64 platforms, allowing compatible Ubuntu systems running on…
Mozilla has released Firefox 152, introducing a refreshed settings experience, improved sharing tools, and several…
On June 25, 2026, JFrog published their research into CVE-2026-43503, referring to the vulnerability as…
The KDE community has secured significant financial support from Germany’s Sovereign Tech Fund, receiving a…