on
Open Source in the Enterprise
Abstract
Open source has been gaining lots of steam in recent years. Several enterprise companies are adopting these “open source” projects (where source code is free for use, modification and distribution) and advocating for contributions to these projects. But do these projects pose a threat to our safety? While some projects are backed by major corporations, others can be maintained by unidentified developers who hold zero liability for issues in their code. Here we will look to discuss the benefits open source has on the enterprise and examine the common concerns related to open source software.
Introduction
In recent years, open source software has seen greater adoption rates by enterprise companies. Companies that build in-house tools are now deciding to open source portions of their tools to the community for consumption and collaboration. Lots of companies are now openly advertising their open source initiatives to gain favors in the tech community. It wasn’t always like this; historically many enterprise companies were revolted by the idea of open source software. Most notably, in 2003 Microsoft CEO Steve Balmer (a notably anti-open source personality) said, “In the end, there’s no one to be held accountable for flawed software in an open-source model.” (Pennington, 2018). This stance was held firm in Microsoft for 15 years until the new CEO, Satya Mandela, changed the company direction drastically. It is now a big advocate for open source, to the extent that Microsoft is now one of the biggest contributors to open source in terms of active developers (Asay, 2018). These are contradicting perspectives on the topic, which raises the following questions: what benefits do companies get from open source software, and what benefits do companies get from open sourcing their tools? What has changed in the past decade with open source that has sparked this interest, and should companies be adopting open source (i.e., is it safe for consumption)? These are all important questions that need to be answered to determine the relevancy of open source software in today’s industry.
Benefits of Open Source Software
One of the main advantages of open source software is the speed it brings to development due to its inherent culture for code reuse. This can range from command line tools which help with analysis or deployment of software, all the way down to GUI components incorporated in the websites we see today. Developers are encouraged to share their solutions, and if they can’t find a solution to their specific use case, to improve an existing solution and share that with the community. This collaboration has created a lot of useful open source software that’s used in industry today. With this widespread availability of software, it has encouraged the “move fast and break things” mindset coined by Facebook. Being able to shop code quickly has made companies like Facebook flourish as they go through many prototypes while receiving constant user feedback. Hiring Perspective of Open Source
Public Opinion from Developers of Open Source
A recent 2019 survey on StackOverflow shows that 65% of professional developers on their platform contribute to open source software (Stackoverflow, 2019). Furthermore, a former head of the open source program at Facebook (James Pearce) released survey results stating that about 2/3 of their software developers were aware about the company’s open source efforts and said that it positively contributed to their decision to work for them (DeCausemaker, 2014). So, it is clear from this that developers appreciate open source culture.
Many companies are now following suit by releasing tools which are open sourced like React (from Facebook), Docker (from dotcloud), and VS Code (from Microsoft). These projects now have hundreds of active contributors, a sizable portion of whom aren’t developers that have already been hired from the company. A 2018 report held in partnership with The Linux Foundation and Dice found that hiring open source talent is a priority for 83% of hiring managers from these tech companies; this was taken from a sample size of 750+ hiring managers (The Linux Foundation , 2018). This is advantageous for companies since they can focus fewer resources on hiring developers and, if needed, provides them a proven talent pool from which they can attempt to hire. Recruiting from Open Source
GitHub is an extremely popular “social coding” playground for developers. Several of the famous open source tools previously mentioned and more are all hosted on this website. So, what better place to look for great developers then the place they hang out? A study done on employers showed that candidates can give a good impression to HR managers through contributions to these popular projects; they treat these contributions as a seal of approval from the developer community that the candidate can write good code (Marlow, 2013). From the sample in this study, they also believed that these were better indicators than reading a resume, since they are able to evaluate soft skills in addition to hard skills by seeing a candidate’s activity regarding managing other people and contributions to their own projects. So, this is a very valid way for people to do recruiting.
From this, we can tell that enterprise companies that decide to participate in the open source culture will have additional resources when it comes to hiring developers.
Profitability in Open Source
Clearly, the open source culture provides companies a numbers advantage when it comes to maintaining projects, but where’s the monetary value in this? Initially, people would be quick to think that companies are losing their profit capability when they give up their copyrights. However, there are multiple companies that seem to have thrived in the open source space and are doing extremely well today.
Case study of Elastic Search
Elastic Search is a famous company which started in 2010 with the release of their ELK (Elastic Logstash Kibana) stack tools. They incorporated existing open source tools like Lucene and Logstash into Elastic Search so they could be able to aggregate and search information from systems. They are a prime example of an open source company that is finding success in the open source space. Their business model revolves around offering enterprise support and solutions on top of their existing open source solution. Elastic Search’s most recent earnings unofficial audit showed that they had a FY19 Revenue of $261.5 million with 1442 employees in over 35 countries worldwide (Elastic Search, 2019).
Case study of Red Hat
Red Hat is a famous company founded in 1993, being the world’s leading provider in enterprise open source solutions. They are the creators of the popular RHEL (Red Hat Enterprise Linux) system, which is used worldwide in several companies’ servers due to its robustness and support. They also manage cloud services like OpenShift and Ansible that help with scaling organizations’ software to the enterprise level (e.g., the likes of Google and Facebook). They are another prime example of an open source company that has found success in open source. Their business model also revolves around offering enterprise support and solutions on top of their existing open source solution. Red Hat’s most recent earnings unofficial audit showed that they had a FY19 Revenue of $3.4 billion (RedHat, 2019). So, it’s quite evident that open sourcing software can still be quite profitable for some companies which go down this route.
Now what should companies that don’t have the same freedom as these open source companies be concerned about when incorporating open source into their products. While the above companies do give enterprise support for some critical software suites, they cannot possibly provide support on all of the open source projects out there. For many of these projects contributions are coming from developers who have zero liability for their work, and who don’t have an incentive to support this for the enterprise, for free. Does this make Steve Balmer’s earlier quote worrying for enterprise adoption? Let’s find out! Considerations for Open Source Software
Legal adoption – Open Source Licensing
If you’re planning on incorporating open source software into your company, the first thing that should come to mind is the copyright terms for these projects. Thankfully this has all been thought out in the past with the release of several open source licenses for company needs. The popular source code management website GitHub had a survey on open source license usage, finding that, overall, about 20% of the projects have a license, and that the clear favourite copyleft licenses were: MIT, GPLv2/3, and Apache. With their usage combined to be about 77.2% of the total licenced projects (Balter, 2015). This is great for companies, since they only have to follow the rules set out by these licenses to begin incorporating them into their work.
Copyleft Licenses
Copyleft licenses are in a sense the opposite of copyright licences. Whereas copyright restricts the freedom to use, modify, and enhance a product to one sole user, copyleft guarantees the four essential freedoms for free software: freedom to run the program as you wish for any purpose, freedom to study the program and change it as you wish, freedom to redistribute the program to help others, and the freedom to distribute copies of your modified versions to others. Any software that possesses the four freedoms above is considered libre software, coined by Richard Stallman (Free Software Foundation, 2019). All of the open source licenses have aspects that fall under these categories, however, depending on the looseness of the copyright, some may give you less rights than others.
Weak Copyleft Licenses
Weak copyleft licenses really only require users of the software to give credit to the developer or organization by including the license in whatever piece of code that was written by the project. Everyone can essentially use these licenses without having to worry about copyright practices regarding the usage of the software, and it is indeed free to use. The following are licenses that fall under this category: MIT, BSD, Apache, LGPL. These are great for most enterprise companies because they can freely use and modify the software as they deem fit. Visual Studio Code is an example of a project with a weak copyleft license (MIT) with some additional license terms that make it not libre software.
Strong Copyleft Licenses
These are licences that gives you all of the four freedoms mentioned earlier. They are the following: GPLv2, GPLv3, AGPLv3. These licences are special in the fact that any software that uses them must also be sublicensed as GPL licences. There are some minor changes between the GPLv2 and GPLv3, mainly being is more friendly with other licenses, and it has more clarity along the lines of whether you have to disclose the source code if the software is provided over a network. The AGPLv3 however is the special case that makes so that users who use this product over a network must have access to the source code. These types of licences are generally considered threats for the enterprise due to their viral nature when incorporating them with other works.
Companies need to be vigilant of their licence usage since breaking the terms of service for these GPL can results in major fines from the FSF (Free Software Foundation). There has been several documented cases of companies being sued for misusing GPL licenced software, one of the earlier recorded cases was in 2007 where the company Busybox was suing Westinghouse Digital Electronics for using their GPLv2 licences software on their embedded televisions, and selling it to customers under a new licence that is incompatible with the GPLv2. The damages were $90,000 in total and Busybox won the case (Timmer, 2010).
If you’re planning on incorporating work from these libraries into the enterprise then the obvious choice is to only use weak copyleft licences, since strong copyleft licences pose a potential threat to your companies’ intellectual property.
Security of Open Source Software
Many of the components in the software we use daily may be open sourced, take note of the television example from earlier, it’s really easy to incorporate these projects into products. But this begins to become a problem when these components pose a threat to your security. Some of these open source codebases can be extremely large like the Linux Kernel which now houses 25 million lines of code (Larabel, 2018). These codebases can’t reasonably be manually analyzed for vulnerabilities by a small team of developers, many companies will have to rely on automated or crowd sourcing efforts. And there’s still the question of whether closed source software is more secure than open source software that needs to be answered. .
Security: Open Source vs Closed Source
The main argument against open source software being secure, is its lack of security through obscurity. Attackers can easily identify vulnerabilities and abuse it since the source code is open to the public. A recent study concluded that in the long run open source software will be more secure, while closed source software will provide a bigger disadvantage to the defender (Hoepman, 2018). This is because open source software will likely have a spike in beginning as vulnerabilities become public, but as time goes on these vulnerabilities will be patched quickly, thus releasing the vulnerability period. This is not the case with closed source software since more often than not the vulnerabilities will be abused for an extended amount of time before it is identified and patched. This is a result of Linus’s Law: “Given enough eyeballs, bugs are shallow” which simply put is that given enough beta testers and co-developers almost any problem will be identified quickly and fixed accordingly (Raymond, 2000). This same article also provides a real-life example where portions of Microsoft’s Windows NT became public and within days the first exploit was published.
This form of security through collaboration will likely make open source software more secure in the long as security vulnerabilities are identified to developers patched promptly by developers.
Auditing techniques for Open Source Software
As mentioned before, with the ever-increasing complexity of projects developers will need a better way to audit this code before consumption. The solution to this is automation or crowd sourcing. Depending on the platform the software is targeting there are a wide variety of tools available for detection of security issues.
Static Code Analyzers
If you’re developing standalone applications that primarily run on the Linux servers there are a mix of static analyzers like BOON, CQual, and RATS which can help for detecting buffer overflows, inconsistent usage of values, and general inspection of programs for security vulnerabilities. The issue with these tools is that they have a requirement of several hours to analyze modestly sized programs, which isn’t reasonable when you’re trying to moderate code with millions of lines (Cowan, 2003).
Cloud based solutions
If you’re developing applications with cloud computing capabilities, then you will likely want to deal with tools at the network level. There are a wide variety of tools that help with information gathering, scanning, exploitation, and forensic analysis. Examples are Netcraft (Anti-fraud and Anti Phishing), Nessus (exploits vulnerabilities in system confirmation), Wireshark (network sniffing and monitoring infrastructure tool), and Aqua Scan (docker container risk assessment) (Almatari, 2018). These tools can be very helpful for identifying vulnerabilities in software that you incorporate in your tools before you deploy them to production which can help avoid common abusable issues.
Crowd sourcing
While many of the automated solutions are great, they mostly have their short comings in terms of performance. A very useful alternative is to crowd source bug finds, this can be accomplished through websites like GitHub. This platform now has a crowd sourcing tools which allow them to alert projects on their platform about vulnerable open source modules they have incorporated (Han, 2017). This feature is extremely helpful for reducing the vulnerability period for several projects, allowing them to either remove the affected module to update to the latest version which likely has a security patch.
From this we can infer that there appears to be a wide variety of tools and crowd sourcing resources available for auditing software. These resources can easily be used to audit open source software and keep the user in the loop for security vulnerabilities that may arise from usage of these open source software projects.
Closing Remarks
Open source software seems to have many advantages for enterprise companies. They can greatly benefit from opportunities in hiring and overall business models. There has been a detailed overview on the legal aspects of incorporating open source software into the enterprise, and the rules companies have to abide by to not get into trouble. We have also discussed the main argument against open source software being secure and found that open source software is actually more secure in the long run. Enterprise companies can also verify software tools that they’re using by incorporating existing tools to easily audit the software, and they can make use of existing crowd sourcing efforts to stay on top of emerging security vulnerabilities in the software they use. With this we can make the case for open source projects to be adopted by enterprise companies.
Bibliography
Almatari, O. &. (2018, October). Cybersecurity Tools for IS Auditing . Retrieved from https://www.researchgate.net/publication/327369940_Cybersecurity_Tools_for_IS_Auditing
Asay, M. (2018, November 4). Microsoft may be the world’s largest open source contributor, but developers don’t care–yet. Retrieved from https://www.techrepublic.com/article/microsoft-may-be-the-worlds-largest-open-source-contributor-but-developers-dont-yet-care/
Balter, B. (2015, March 9). Open source license usage on GitHub.com . Retrieved from https://github.blog/2015-03-09-open-source-license-usage-on-github-com/
Bui, T. (2014). Analysis of Docker Security. Retrieved from https://arxiv.org/pdf/1501.02967.pdf
Cowan, C. (2003). Software Security for Open-Source Systems. Retrieved from https://journals-scholarsportal-info.myaccess.library.utoronto.ca/pdf/15407993/v01i0001/38_ssfos.xml
DeCausemaker, R. (2014, Oct 22). Head of Open Source at Facebook opens up . Retrieved from https://opensource.com/business/14/10/head-of-open-source-facebook-oscon
Elastic Search. (2019, August). Elastic N.V. Reports Strong Fourth Quarter and Fiscal 2019 Financial Results. Retrieved from https://ir.elastic.co/Cache/1001253311.PDF?O=PDF&T=&Y=&D=&FID=1001253311&iid=5249851
Free Software Foundation. (2019, 07 30). Retrieved from https://www.gnu.org/philosophy/free-sw.en.html
Han, M. (2017, November 16). Introducing security alerts on GitHub . Retrieved from https://github.blog/2017-11-16-introducing-security-alerts-on-github/
Hoepman, J.-H. (2018). Increased security through open source ∗. Retrieved from https://arxiv.org/pdf/0801.3924.pdf
Larabel, M. (2018, September 16). The Linux Kernel Has Grown By 225k Lines of Code So Far This Year From 3.3k Developers . Retrieved from https://www.phoronix.com/scan.php?page=news_item&px=Linux-September-2018-Stats
Marlow, J. (2013). Activity Traces and Signals in Software Developer Recruitment and Hiring. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.463.6673&rep=rep1&type=pdf
Pennington, H. (2018, March 15). Steve Ballmer was right about open source . Retrieved from tidelift: https://blog.tidelift.com/steve-ballmer-was-right-about-open-source
Raymond, E. S. (2000). The cathedral and the bazaar.
RedHat. (2019, March 25). Retrieved from https://investors.redhat.com/news-and-events/press-releases/2019/03-25-2019-201454520
Stackoverflow. (2019, 07 07). Developer Survey Results 2019. Retrieved from https://insights.stackoverflow.com/survey/2019
Synopsis. (2014, April 29). The Heartbleedbug. Retrieved from heartbleed: http://heartbleed.com/
The Linux Foundation . (2018). Open Source Talent in Demand, With Linux Back on Top. Retrieved from https://www.linuxfoundation.org/publications/2018/06/open-source-jobs-report-2018/
Timmer, J. (2010, August 05). https://arstechnica.com/information-technology/2010/08/court-rules-gpl-part-of-a-well-pleaded-case/. Retrieved from arstechnica: https://arstechnica.com/information-technology/2010/08/court-rules-gpl-part-of-a-well-pleaded-case/