Cybersecurity incidents are among the greatest threats facing organizations today. In the wake of recent high-profile software supply chain attacks, the US Federal government has taken bold action to strengthen the country’s cyber resilience. On 12 May 2021, President Biden issued a widely anticipated Executive Order on Improving the Nation’s Cybersecurity, which calls for stringent new security guidelines for software sold to the federal government, and has wide-ranging implications that will ripple across the entire software market.

Despite the troubling frequency of malicious attacks, most organizations still have only a partial view of the make-up of their software applications. This partial knowledge leaves them exposed to unknown software component vulnerabilities and hampers any response efforts.

Anaconda asked about open source security in our 2021 State of Data Science survey, and the results were surprising:

  • 87% of respondents said they use open source software in their organization.
  • 25% are not securing their open source pipeline.
  • 20% did not report any knowledge about open source package security.

We also found that in organizations that aren’t using open source software today, the most common barrier to entry is security concerns, including fear of common vulnerabilities and exposures (CVE), potential exposures, or risks. It’s no secret that open source software is key to accelerating the development of new business ideas—not only by saving time, but by allowing greater collaboration and assembling more minds to solve for some of the world’s toughest challenges.  With the increased visibility and involvement from third parties, however, these benefits come with exposure to potential risk. IT departments need solutions that support innovation but also provide governance to mitigate the damage from any attack or exposure.

Providing security and trust in open source

CVE matching and remediation information enables an organization to build a secure supply chain tailored to their unique needs and policies. For example, one foundational cybersecurity practice is to consult CVE databases and scores regularly to guard against the risk of using vulnerable packages and binaries in applications. Anaconda Repository for IBM Cloud Pak® for Data automates this process by allowing IT security administrators to filter access to packages and files against a curated database of known vulnerabilities. This effort-saving feature frees developers and data science teams to focus on building models.

Collaborating to confront risks head-on

The Executive Order includes many additional steps to improve cybersecurity, such as providing a software bill of materials (SBOM) that enables potential software consumers to know exactly how something is developed. These additional steps are essential for mitigating the many malicious cyber campaigns aimed at gathering critical information and disrupting operations across the nation. As society continues to become more and more technologically driven, vulnerabilities are inevitable. However, a spirit of transparency and collaboration—when combined with the right tools—will help enterprises guard against potential breaches and hacks to their systems, so they can continue to innovate and safely collaborate in the open source ecosystem.


Anaconda Repository for IBM Cloud Pak for Data helps organizations identify vulnerabilities and enables greater control over open source packages in use by allowing admins to block or safelist packages based on IT policies and CVE scores.

Watch this on-demand webinar to learn how you can secure open-source data science in the enterprise.

Learn more about Anaconda Repository for IBM Cloud Pak for Data.

More from Business transformation

Transformation of the digital customer experience

Key Takeaways The digital customer experience is evolving rapidly, and companies need to keep up. Companies should focus on the needs of their customers to provide an excellent digital customer experience. The transformation of the digital customer experience will rely on technology, but it will also require a change in culture for most companies. Security and Trust will remain key factors for the success of the digital payments’ world. Imagine that every time a payment is made, money is placed…

The missing link: Why visibility is essential to creating a resilient supply chain

Supply chain visibility has been the missing link since the shockwaves of 2020 rippled throughout the world and consumers felt the impacts of broad-based supply chain issues. But what does supply chain visibility mean? It’s generally defined as the trackability of parts, components or products in transit from the manufacturer to their destination—with the goal being to improve and strengthen the supply chain by making data visible, actionable and readily available to all stakeholders, including the customer. While it’s clear…

IBM and Adobe partnership: Advancing customer experience transformation

Customers expect your brand to deliver exceptional, personalized experiences across all channels on a 24/7 basis. Meeting these demands requires creating seamless and secure customer journeys built on real-time insights and data. To help businesses thrive in this customer-driven landscape, IBM® and Adobe continue to elevate their 20-plus-year partnership, bringing together innovation, technology and design to digitally reinvent modern businesses. Recently Adobe named IBM its International Delivery Quality Partner of the Year for the third year in a row. Additionally,…

The transformative power of ecosystem partnerships

The adage about keeping your friends close has taken on new meaning in the current world of business. Jason Kelley, Global Managing Partner and Strategic Partnership Lead, IBM Consulting, believes that today, organizations need to work with an ecosystem of partners to succeed, even if they’re competitors. A partner ecosystem approach upends the traditional paradigm of competition among enterprises, moving away from bitter rivalries toward a more fluid and collaborative path to success. “It’s not competition,” Kelley says. “It’s ‘coopetition.’” When…