Making the Case for Enterprise Open Source
95% of IT decision makers perceive enterprise open source as important.
What’s more, 77% expect to see an increase in the use of open source software in the next year.
Open source software is software with source code that anyone can inspect, modify, and enhance. It’s counterpart is proprietary software, software with source code that can only be accessed and maintained by those who created it.
Enterprise open source takes things a step farther than traditional open source. According to Red Hat, “enterprise open source combines the best of two worlds -- the advantages of open source with the stability, performance, support and ecosystem that is offered by enterprise software.”
In spite of the rising prevalence of enterprise open source software, there are still perceived barriers to adoption - headstrong ones that won’t seem to go away. For the second year, Red Hat’s State of Enterprise Open Source report found the top concerns when it comes to enterprise open source are security of the code (38%) and the level of support (37%).
So as an IT Decision Maker, what do you do? How do you make the case for enterprise open source?
To answer these questions and provide the building blocks for making said case, I spoke with Jonathan Hawk, Mindgrub’s Director of Managed Services. Paraphrased below are the insights he shared.
Is open source secure?
The short answer is yes - it's not inherently less secure than proprietary software. This idea is an outdated concern - a byproduct of days past. You could even say that, by its very nature, open source software may actually be more secure than proprietary.
To understand where misconceptions about security stem from, we have to take a look back at the rise of open source.
The landscape has changed a great deal over the years. Open source used to be seen as risky because, rather than being built and owned by one company, it’s built by a community of people. Businesses were hesitant to adopt open source software because, if something were to go wrong, there would be no central support team to call for help.
From the 90s into the early 2000s, proprietary software companies spent a lot of time spreading fear, uncertainty, and doubts about open source software, promoting the idea that because their proprietary source code could not be seen, it was more secure.
Known as “security through obscurity,” this is by no means true.
In fact, with open source software, there is a much greater chance that security vulnerabilities will be discovered by the community and quickly resolved. For proprietary companies, it’s up to their staff to find those vulnerabilities.
This is the central theme of The Cathedral and the Bazaar, also dubbed Linus’s law: given enough eyeballs, all bugs are shallow.
In other words, the more available the code is for public scrutiny, the faster bugs will be found and resolved. If only a few developers have access to the code, it is up to that small team to sort things out.
Plus, as more people use the code, more people will be motivated to conduct security audits and fix any vulnerabilities. Because of the nature of open source, people tend to be more cautious, conducting more thorough security audits.
At the end of the day, whether it’s open source or proprietary, humans are the ones writing software. There are bound to be mistakes and some shortsightedness. Both types of platforms can - and will - have defects.
But if anyone can access the code, doesn’t that mean hackers can find and exploit those vulnerabilities first?
It’s true, a nefarious actor could discover and exploit the vulnerability before it is resolved.
In general, however, hackers tend to target the tool that is used the most. These bad actors do not target open source specifically; they target what is easiest to exploit and whatever has the most users (and, thus, the greater potential impact).
Can open source be distributed with malware?
Yes - but so can proprietary software.
Open source developers today are making strides to prevent downloading malware. Creators put a hash - a fingerprint of sorts - on each release. When someone downloads the software, they receive that hash from the download source. Once the software has downloaded, the user can then calculate the hash on their new download, compare it to the original, and confirm they have the correct hash.
If the user calculates a different hash, then they know that their download has been altered.
Because there is no one to call for support, is open source software riskier and more likely to have bugs?
Actually, you could argue that it’s more secure because more people are able to audit it. And with more people auditing, bugs will likely be resolved much faster.
You won’t have to rely on the vendor’s team and wait for the next release. You can even fix it yourself, and avoid the entire process of reporting and waiting for a patch.
Alternately, it may not be bugs that businesses worry about, but consultation. Often, a business needs assistance with a correctly-functioning product as opposed to a malfunctioning one. Integration, customization, and performance optimization are perfectly reasonable projects a business may want to undertake with an open source software product.
Although there may not be anyone on hand among an open source project’s development team to pick up the phone and provide support, there are companies out there who exist solely to support open source projects with no single “owner.”
Why is open source good?
Open source is great because it promotes innovation. It’s about granting freedoms. It’s about treating software as something to experiment with, and something to continuously improve upon.
At its core, open source software is about licensing. It’s about being permissive with your copyrights.
There are numerous types of licenses, and how people use the software is determined by what license is chosen. We like to think of the many licenses as falling into two main frameworks.
- Reciprocal: Based on the concept of reciprocal behavior, this type of license expects that those working with the code will share the same freedom to innovate as they have received. In other words, when you make changes to the code, you are expected to license it under the same terms. This is to prevent future versions of the software from being made proprietary.
- Permissive: This type of license does not guarantee that future versions of the software will remain free and publicly available. Software under a permissive license can be made proprietary in the future.
So why is this good? It’s the permissiveness that lends itself to constant improvement of the software. Fewer hindrances means a higher adoption rate. Open source software aims to remove some of the hurdles - like proprietary licensing - that prevent a software from gaining users. The more people, the more improvement.
Making code available breeds innovation.
What are some of the potential downsides to working with open source?
As with most things, there are cons to open source.
If you’re a business, you have to pay careful attention to what the license says, and make sure you abide by it. If the open source software you are distributing has a license that requires you to make the source code available, but you don’t, you’ll be at risk of a lawsuit.
Which is exactly what happened to Cisco. Years ago, Linksys, which is owned by Cisco, failed to comply with the GNU General Public License - a type of reciprocal license which, as stated above, forbids proprietization. Cisco was hit with a lawsuit, forcing them to release their code.
While lawsuits are never good for business, this did wind up breeding innovation among hobbyist consumers.
Another disadvantage, which we’ve already addressed, is that some open source projects don’t offer support. But, as mentioned earlier, there is the option to hire a third-party vendor to offer assistance with upgrades, patches, and more.
Can open source succeed?
Open source as an idea has already succeeded. Just take a look at the examples above.
We’ll probably always have proprietary software, but the more we overcome the misconceptions - especially that open source is inherently less secure - the more successful open source will become.
Open source software has already found a home in markets where proprietary software previously reigned. Darwin, the operating system that underpins macOS and iOS, as well as the kernel which powers it, XNU, are open source software. The Nintendo Switch is based on FreeBSD. Smart TVs are increasingly based on Linux, like LG webOS. Android is available on smart phones all over the world. The list keeps growing.
Fewer hindrances to adoption uniquely positions open source software to strong-arm its way into serving as a de facto standard. Just take a look at Kubernetes. There’s no way any proprietary software could have achieved the same strides as the Kubernetes project in the few short years since its inception.
Is open source the future? What else can we expect?
Open source - for business especially - is the future. Taking a quick look at the 25–30 years open source software has been around, it’s never not been on the rise. And it’s nowhere near done.
Expensive, inflexible, proprietary software is rapidly falling out of favor. In just two years, open source software is expected to overtake proprietary as the preferred choice of enterprise-level organizations.
We’ve watched industry transitions like this happen right in front of us. Software has largely changed from a product you buy into a subscription-based service.
In the next 20 or 30 years, we’ll see commoditization of hybrid printing systems which will fundamentally alter industry. A developer will be able to design a product’s physical form, its electronic circuitry, and the software which powers it. The compiler will decide what will be printed as hardware and what will be installed as software. The line between open software and open hardware will become very fuzzy.
To summarize
Is open source secure?
All code - open source or proprietary - is written by humans and bound to have some vulnerabilities. Because open source code can be audited by the masses, though, bugs in open source software are more likely to be discovered early and resolved quickly than their proprietary counterparts.
If anyone can access the code, doesn’t that mean hackers can find and exploit those vulnerabilities first?
Bad actors do not specifically target open source software. They target what is easiest to exploit and with more people auditing open source code, there are less likely to be vulnerabilities to exploit.
Can open source be distributed with malware?
Both proprietary and open source software can be distributed with malware. Today, open source creators are putting a unique identifier, called a hash, on each new release as a way of alerting downloaders to the presence of malware.
Because there is no one to call for support, isn’t open source software riskier and more likely to be buggy?
No, because more people can audit the code, bugs are likely to be found and resolved faster. Instead of waiting around for a vendor to come out with an update, people are able to resolve bugs on the spot.
Why is open source good?
The biggest benefit of open source is that it breeds innovation. It allows software to be something to experiment with, and something to continuously improve upon.
What are some of the potential downsides to working with open source?
If you don’t follow the rules set by the software license, your business will be at risk of a lawsuit. Some open source projects don’t offer support, or aren’t well-maintained - in these instances, you’ll want to hire a third party support team.
Can open source succeed?
Open source is already succeeding. As we continue to banish misconceptions over security and support, open source will grow even more successful.
Is open source the future? What else can we expect?
Enterprise open source is the future. Expensive and inflexible, proprietary software is rapidly falling out of favor. In the next two years, open source software is expected to overtake proprietary as the preferred choice of enterprises.
About Jonathan Hawk | Jonathan (Jon) Hawk drives technical direction across multiple tech languages at Mindgrub, including PHP, JavaScript, and .NET. His technical scope ranges from Drupal to Django to Operations to DevOps. He is a master of many trades, which allows his department to support a plethora of coding languages, applications platforms, and infrastructures. In addition to his leadership duties as Director of Managed Services and the technical responsibilities of the organization, Jon maintains an active GitHub profile with open source libraries for Mindgrub and the community-at-large to use. If there is a question, he can figure out an answer, and the best and most appropriate way to do it.