Open source software development is increasingly appealing to enterprises. Rather than potentially locking themselves into costly proprietary solutions – especially for virtualization and cloud computing, which are becoming the backbone of business operations – organizations can instead make use of community knowledge and fork projects for their own specifications.
Of course, open source is not a recent phenomenon. Technologies ranging from the Linux kernel to the OpenSSL cryptographic library have long been vital to the evolution and proper functioning of the Internet. But there seems to be greater momentum than ever behind open source development, and it's so worth weighing some of the operational benefits and cybersecurity pitfalls of this approach.
The recent Heartbleed exploit, as well as flaws with GnuTLS, shows that open source projects are not without risk. Even with the prospects of saving money and getting access to higher-quality software, users must take stock of what could go wrong. While many community-driven initiatives have numerous contributors and serve as the underpinnings of widely used products and services, flaws are routinely overlooked.
State of Open Source survey results shows shift toward community development
Last February, Black Duck Software and North Bridge Venture Partners conducted a survey that found that open source software had become a central concern for both IT vendors and buyers. The study collected responses from more than 1,200 CEOs, systems architects, analysts and others, finding widespread enthusiasm for contributing to and adopting open source efforts.
More than half of companies are expected to contribute to more projects in 2014. Eight in ten respondents stated that they were choosing or supporting open source for reasons related to quality. Other factors included the chance to modify source code and, perhaps counterintuitively, security. Seventy-two percent asserted that open source projects, by virtue of having more eyeballs on their code, were more secure than proprietary alternatives.
Regardless of the motivation, it's clear the open source software has taken root in the enterprise. With approximately 30 percent of companies believing that it will make it easy for employees to participate in projects or start their own, open source software is likely to remain a fixture of business for years to come.
"This year's results signal an important shift in how enterprises view open source – a shift that will have tremendous impact on the future of development," said Lou Shipley, CEO and president of Black Duck Software. "Open source has proven its quality and security, and reached a point of widespread democratization and proliferation. As such, organizations must – and, as our survey shows, some of the more sophisticated OSS users have already begun – changing the way they view their role. Understanding that it's about more than just cost-cutting or any of the traditional reasons to simply use OSS; it's about participating and managing the logistical challenges to gain competitive advantage, attract top talent, and influence project direction."
What are the top security risks with open source software development?
Let's look at the underlying cybersecurity issues in open source development. The survey results were awkwardly timed, with the assertion that community involvement leads to safer software coming right on the eve of Heartbleed's discovery. Certainly, many of the world's leading open source efforts have thousands of eyeballs looking at them every day, but do sheer numbers ensure comprehensive security? Not everyone who audits an open source project is actively invested in its welfare.
OpenSSL is a good example. Although it is utilized by many corporations as vital component of their cybersecurity infrastructure, OpenSSL is maintained by a very small staff and, until recently, it received relatively little funding from outsiders. Last year, it received only $2,000 in donations, and its consulting services have never brought in more than $1 million- hardly an amount appropriate for its popularity and influence.
"The problem with open source is that you have the 'free rider' problem," stated security expert and Veracode CTO Chris Wysopal, according to The Economic Times. "People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going."
After the Heartbleed fallout, the Linux Foundation started the Core Infrastructure Initiative to provide financial support to small open sources projects such as OpenSSL. More than $3 million has been contributed so far by major vendors such as Cisco, Intel and IBM. It's a step in the right direction at least, even if it does come after the fact.
Heartbleed is gradually receding from the headlines now that most sites have been issued new SSL certificates and the vulnerability has been patched. However, the core issues with open source software development remain:
- The Internet as we know it is already highly dependent on open source technologies, and more of them – such as OpenFlow for software-defined networking – are on the way.
- That wouldn't be so bad if more users of open source were actively invested in supporting the products and services that provide a host of benefits to their operations.
Open source projects need real support
The "more eyeballs means better security" argument is still frequently brought up to support expansion of open source initiatives, but, as Dr. Dobb's editor-in-chief Andrew Binstock recently pointed out, the issue isn't technical so much as monetary. Open source projects still have to strike a tough balance between engaging and expanding their communities and deriving enough revenue to ensure that they are sustainable for critical, large-scale deployment. The ideal may be teams that can work full-time on open source software projects, dedicating their efforts to quality and security.
"There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," stated OpenSSL team member Steve Marquess on his personal blog. "If you're a corporate or government decision maker in a position to do something about it, give it some thought. Please."