Open-Source Software Is Extremely Useful But Treat It With Care

Security6 minutes readJan 28th, 2021
SHARE +

In the recent past, there was a fair amount of skepticism about the open-source movement. That’s no longer the case. Today engineering teams are using a lot of open-source capabilities.

The way open-source is applied and delivered has also evolved. Open source used to be the bailiwick of consortiums that maintain platforms such as Kubernetes and operating systems such as Debian or Ubuntu Linux. But now various individual suppliers offer open-source solutions, and open-source is expanding into core engineering tools.

Companies like Elastic and Grafana have huge customer footprints and rapid revenue growth. More than 4 million users and hundreds of thousands of organizations globally use Grafana’s open-source software for data visualization and analysis. That includes major businesses such as Bloomberg, PayPal and Sony. Walmart, P&G and Audi are among the customers of Elastic, which is “redefining search” with open-source. And CB Insights says the open-source services industry will approach $33 billion by 2022.

This is happening because open source solutions are easy to access and the capabilities are top quality. Plus, you don’t necessarily need to pay for these capabilities. They’re available for free.

That’s wonderful. But as a top business leader or developer, you need to consider the implications of using open-source solutions when you move into production.

Know when your development teams are leveraging open-source.

If you are in senior management, be sure you know when your development teams are using open-source. If you don’t, you could be caught off guard as things evolve. Keep this in mind when you’re doing mergers and acquisitions. If a company you acquire has applications including open-source and you don’t know it, you could face expensive license violations.

In today’s world, you can use many open-source community versions just for development. When you move into production, you often need to have a license and there might be limitations on what you can release.

Understand that different open-source software providers have different models. Some open-source software providers have a client license you pay for. Others may ask you to register who the client is because they can’t always tell who the user is. If privacy concerns and business practices prevent you from disclosing who your clients are, you must find a different approach.

Make sure developers understand the implications of their efforts.

Be sure the product development side of your business appreciates the implications of open-source. If you are a developer or oversee product development and operationalization, take the time to ensure that you and your team are disciplined in understanding your exposure. For example, when you move into production, you may need to have a formal license.

Understand and assess your needs and potential exposure in terms of support and response time for that support. We have found that if you don’t have a commercial support agreement with some open-source software providers, it can take a week or two to get support.

Be aware that vendors might first address common vulnerabilities and exposures (CVEs) in the commercial versions of their software before these fixes are applied to the open-source version. Some vendors expect you to use proxies and web application firewalls (WAFs) to fence open-source products that have high severity CVEs.

Move to a commercial version when the time is right.

Be aware that if you don’t have a commercial open-source software license, you may not have early access to the software company’s early releases. You will only get access to the updated software when the supplier releases the community version. Open-source software providers have become smarter about this in an effort to drive users to their commercial offerings.

The question you must ask yourself is whether you can get away with what you have or whether you need access to the latest and the best software. The answer depends on your business case.

If you’re using open-source to support an established business or you feel that your open-source effort will attract a good amount of business, then you might want to invest in a commercial license. But if you’re applying open source to an emerging area and/or doing a proof-of-concept effort with customers, you may want to wait to see whether your solution sticks. If it does, then you may want to move from the free to the commercial model.

Seek a solution provider that will make it easier for you to leverage the best of open-source.

Consider working with a solution provider that packages open-source capabilities. That way, you can avoid the hassle and overhead of integrating software using an in-house team. This will give you fast access to a solution that, for example, employs Grafana for viewing on the frontend and Elasticsearch, Kibana and Logstash on the backend. It’s even better when you have a supplier that can both enable that integration, bring API capabilities into your application stack and provides other needed functionality such as trusted identity access.

Getting open-source right is extremely important considering it is a key part of IT modernization that’s enabling digital transformation. As part of their digital transformations, companies are adopting more cloud-native applications. As more applications move to the cloud, a greater number of companies are beginning to leverage microservices. With a microservices approach, you have your stack, your integration engine and your software engine, all of which may leverage open source elements. You build microservices on top of that to get economies of scale and benefit from plug-and-play functionality across products and capabilities.

There are clearly strong benefits to using open-source software, which covers a vast range of functionality that may be prohibitively expensive to develop internally. It’s easy to use and simple to access, and it has become a key element in digital transformation. But you should also be mindful of the implications of open source.

If you plan its implementation properly, you can effectively manage it and reap the benefits.

Tags-   Application development open-source Security


About The Author

Sudhir Mehta

Sudhir Mehta is the Global Vice President for Product Management, Program Management and Strategy wherein he leads and executes our strategies across products and applications, partnering with Products and Platforms teams, Enterprise leads and Strategic Partners to achieve our defined business outcomes.

VIEW ALL POSTS »