Is Open Source Too Open?
While there are many advantages to open-source computing — not the least of which is affordability — IT managers should keep their eyes wide open when using open-source code in their development process.
No clear future —One potential downside to open-source software is that the overall direction of future features and upgrades is not always clear.
“The code base is always moving, and as a result, there isn’t necessarily a long-term plan or vision as there is when you purchase a software package,” said Paula Hunter, executive director the Wakefield, Mass.-based Outercurve Foundation, a nonprofit organization that facilitates the exchange of code and understanding among software companies and open-source communities.
“With open-source computing, you don’t necessarily have a product manager that can tell you the vision for the application 18 months down the road, as you do with traditional software.”
Questionable support —Support for open-source software can be spotty.
“The rule of thumb is that if the open-source code is for technologies that every company uses, like database servers, Web servers and operating systems, there is usually a huge community with a lot of support,” said Curt Finch, CEO of Austin, Texas-based Journyx, a developer of timesheet software that uses open-source code. “Once you get into some industry-specific applications or very narrow uses, there is a dearth of experts that you can call on.”
IT managers have to do due diligence to ensure ongoing support for open- source software, just as they would any other application running on their organization’s network.
“IT managers have to ask themselves, ‘Does the open-source software have a commercial backer that can take care of me well?’” said Robin Schumacher, director of product strategy for Bedford, Mass.-based EnterpriseDB, which provides enterprise software and services based on PostgreSQL, an independent open-source database. “If I use a piece of software that fails, I don’t want to post cries for help on a forum and hope someone in Bulgaria responds.”
Security risks —While there are some potential security risks to using open-source code, many of those risks can be mitigated with the proper software controls and the security holes are not significantly greater than those of traditional software.
“The security issue can be argued either way, but most believe the open- source software model provides a better environment for superior security,” said Jim Bell, chief marketing officer for Jaspersoft, a San Francisco-based business intelligence software firm, in a statement. “Proprietary software does not provide source code, so the code is secret, making it harder to identify holes by outsiders.
"However, the result is that proprietary software security is reviewed by a much smaller and less diverse audience, adding risk," Bell said. "Hackers will reverse engineer it to determine security vulnerabilities. Open-source code is generally available, making it more transparent to customers and hackers alike. However, it typically undergoes greater scrutiny with a wider audience, he added.”
IT departments need to have the proper security checks in place, whether they’re using packaged software or open-source code.
“Open-source software isn’t necessarily less secure than other software —and many feel it is just as or even more secure — but that does not mean there are no security vulnerabilities,” said Peter Vescuso, executive vice president of marketing and business development for Black Duck Software, a Waltham, Mass., company that provides products and services for enterprise-scale adoption of open-source software. “With open source, you still need to have a process in place for selecting and evaluating code.”