Open source software is the present and future. Bernard Golden of CIO states that “software innovation has decisively shifted to open source,” and this is evident across the board from operating systems to coding languages to communication tools.
While these technologies are widely adopted and some have become acceptable (and even desirable) alternatives, can open source fully replace proprietary legacy enterprise software? And more importantly, should it?
Take Jenkins, for example; Jenkins is an incredible tool, with an estimated 70% of the market share and utilized by some of the top Fortune 500 companies, including Dell, Facebook, Yahoo! and even SpaceX.
February’s Jenkins server Monero mining attack banked on the tool’s widespread and heavy use, taking advantage of a vulnerability in the code to mine over $3.4m worth of Monero cryptocurrency by installing a miner. The mining activity raised CPU to 100% across users, slowing down servers and racking up higher carrying costs for enterprises.
The worrisome aspect of this story, is not necessarily the actual attack, but that it went unnoticed for a long time. The vulnerability was discovered by an external company, after being active for months!
This raises the question — what risks are enterprises facing when adopting open source software? Can these risks be managed, and if so — how?
Open source software has many advantages to offer, but so does proprietary enterprise software. Of course it’s also important that distinct open source software disadvantages not be ignored either. Before jumping the gun, large enterprises need to consider all options carefully. How do you decide if open source tools are the best solution for your organization?
Why buy the cow if you can get the milk for free? Proprietary software can be costly, especially for larger organizations that’ll require multiple licenses and heavy infrastructure to support it. Choosing open source can result in huge savings, allowing enterprises to redirect the money elsewhere while achieving (essentially) the same capabilities.
Open source may save you a hefty sum in licensing fees, but the fact is that even “free” software comes at a cost. While you’ll save some cash with acquisition, you’ll have to spend time training your team how to use it, integrating it with your systems, and most likely, customizing it to your organizational/team needs. Though much of these hidden costs apply equally to legacy enterprise software, they are partly assumed and largely streamlined by the vendor and included in implementation costs.
The beauty of open source is that it’s available to everyone. It levels the playing field, no longer giving an unfair advantage to enterprises that can afford to foot the bill for expensive software. On the other hand, large organizations are often plagued by the bureaucracy monster, which makes it harder to spend funds. Say you want to purchase a $10,000 solution? You’ll need it approved by multiple stakeholders in the company, followed by a contract, and so forth.
Open source software is a decision that can be made with a single click.
Making something readily available to everyone has no downsides, right? Who could argue with equal opportunity? Well, big enterprise could.
Part of the (admittedly painful) process of adopting expensive software is that it forces enterprises to make choices about working processes, conduct thorough cost/benefit analyses, and make informed decisions.
The easy adoption of open source solutions — sometimes a decision made by a single individual — can create situations where teams lose touch with each other. When strategy and organizational policies aren’t taken into consideration in tandem and on a large scale, agility often comes at a high cost. This is one of the least considered but most impactful open source software disadvantages.
The flood gates have opened and literally millions of open source projects are being added to the web every year. Some open source projects aim to provide a free alternative to expensive legacy software, while others aim to tackle problems (big or small) and accelerate growth hacking.
This can pose a major challenge to teams looking to adopt open source solutions… how do you choose? Bernard Golden, VP of strategy for ActiveState Software points out that “sometimes it seems that there isn’t one good open source project to use for a particular task, there’s a hundred ok-ish projects.”
While one could hope to compare two or even three solutions for a project, doing so for dozens of comparable but possibly consequentially different solutions is nearly impossible (and not scalable).
Open source technology is, by definition, open: visible, transparent and freely discussed. Guided by experts and often overseen by many sets of eyes. With the code available to all, anyone can add or detract according to their own needs and specific use.
Enterprises with in-house developers can afford to add customized features and settings to their version of the software, and will find that this is quite necessary; open source software in its purest form is often basic. Many additional layers are needed in order to match an enterprise’s IT functionality level and security needs. Smaller enterprises will likely not have the resources to embark on this mission and will be forced to work with the software as-is.
That means that they’re equally likely to be saddled with a Swiss Army knife when what they really need is a proper wrench, or an off-the-shelf, slack in all the wrong places suit when the occasion calls for something more fitted.
With few exceptions, open source projects in their most common form are after-hours projects taken on by innovators and engineers. They’re usually not backed by a big corporation.
Distancing one’s self from big business has its obvious advantages; there are no questionable agendas or monetary considerations driving the product, the user and value to the user are at the forefront. Shareholders, investors and competitors aren’t a driving force behind the actions taken in development.
On the other hand, this also means exactly that: there is no company behind the product (in most cases). There is no customer support, no responsibility, no one making sure the product is always at its best. It is a system that relies on the goodwill, expertise and integrity of global developers…for better and for worse. At the end of the day, this represents a huge disadvantage to open source software.
What happens when a major hack or breach occurs? Who’s the watchdog? Jenkins uses a Google group to inform users of problems. There isn’t a dedicated team to get in touch with enterprises (via email, call) and warn them of security issues. Other open source projects don’t even have that level of support.
Choosing the right solutions for your organization is most likely not an either/or decision, it’s both this and that. There are some open source tools that will better fit your needs than the available legacy enterprise options, and vice versa. The key is to consider each need separately, keeping in mind the overarching organizational strategy and what the choice means in the long run.
At the end of the day, everyone is at risk for security breaches and hacks — whether they’re using open source or legacy enterprise software. Jenkins is far from being the first tool crippled by a cryptocurrency mining scheme. The question you need to ask yourself is, what happens if my organization is affected?
Putting all your proverbial eggs in any one basket is a risk, especially when the health and functionality of your IT relies on it heavily. Weighing the advantages and disadvantages offered by different approaches is critical to turning out a strategic course of action designed to minimize open source software disadvantages and maximize advantages. Mitigating risks doesn’t mean no open source, it means seeing the whole picture and making smart decisions.