Pieter van der Giessen
Why Open Source is the way to go
Many companies struggle with the adoption of Open Source Software (OSS). Questions like ‘How do we know it is secure?’, ‘How do we know this project will be maintained’ and ‘How do we know we get support when we need it?’ are often preventing companies from using Open Source products. The alternative - a Closed Source product delivered by a vendor with expensive consultants - is very attractive to risk-averse managers. This read discusses some of these issues and aims to challenge your beliefs about Open Source Software.
What are the real costs?
Open Source Software (OSS) is most often free. Sometimes there are licensing conditions to be aware of, but the vast majority of the mainstream OSS can be used by your company. Of course free does not exist: you will need skilled engineers to implement the product.
When you need more support, you can pay companies like Red Hat or DataStax to deliver support on (originally) Open Source products like CentOS and Cassandra. This can be either in the form of licenses or in the form of support contracts, where you are guaranteed that there is someone to help you in case disaster strikes.
This seems like a tempting option. However, there is no guarantee the support engineers will be able to solve your issue. Your company’s actions are very likely to be the cause of the issue and your own engineers will need to do the majority of the problem-solving. Next to this, in practice, these support hotlines are seldomly used. Engineers are engineers for a reason. They like to figure stuff out. So before they call the expensive support line (if they even know such a support contract exists) they will spend quite some time figuring out the problem.
This time spent is actually an investment: your organizational knowledge of the product increases. However, you are still paying another company a huge amount of money. On multiple occasions, skilled engineers on the customer side can be more knowledgeable of the product than the average support engineer on standby. Especially when you take into account the specifics of your organization.
On the contrary: if you would encourage your engineers from day one to take ownership of the (Open Source) product, you would harvest the same benefits, but this time without the huge costs of a support contract. It also empowers your engineers to take ownership. Win-win!
Open Source Software is not as safe as Closed Source Software!
Many people consider OSS less safe than its Closed Source counterparts. The main argument here is that by publishing the code, it becomes easier for attackers to find attack vectors.
In the Security Domain, the above reasoning is referred to as ‘Security through Obscurity (STO)’. By using security by obscurity, some people think they are going to minimize the risk of getting targeted by an attack.
The truth is that – although STO may be an additional layer of protection – it is not going to be sufficient to keep the attackers out. If you leave your backdoor secretly unlocked, but don’t tell anyone, it is still possible that someone tries to open it up at night; with or without a crowbar.
By releasing the source code, you enable all professionals worldwide to review your code. Especially the larger projects will benefit from this knowledge of the masses. This does not guarantee bug- and vulnerability-free code, but it is a very important step.
It also allows your company to scrutinize the code against the same standards as you would do with internally developed code. So performing your security scans, code reviews, etc. is all perfectly possible with OSS.
What if the maintainers quit?
Many (but not all) OSS projects are maintained by volunteers who many times do not even get paid to do their work. This is considered a risk by some since those maintainers could quit, get ill or find another project.
The truth is that the OSS that is interesting for your company is probably useful for a reason. It’s a good product and it fulfills a needs. If that is the case, it probably does so as well for other companies. This means that even if contributors were to quit, new ones will rise in the need for this product being developed.
What if they don’t? There are two options: firstly, consider very carefully why it is that your company is the only one that still needs this product to be maintained. Did the market move on? Is your setup so specific? Probably it is time for you to start migrating to a new tool, as the market is signaling by no longer looking after this project.
Another very attractive option – and please don’t wait with this until the other maintainers dry up – is to have your employees contribute to the project. Many engineers consider this a very fulfilling part of their job and it will make your company stand out as a good employer. It allows you to actively influence the product, its roadmap, and the prioritization of new features you may need.
What are other benefits of Open Source?
One of the main advantages of using Open Source is that you will minimize the risk of vendor lock-in. Of course, it will always take time to migrate from one technology to the other, but in the case of Open Source, the standards that are used are generally open standards and not proprietary ones.
This means that the way that software works together is usually plug-and-play: for example, Grafana can visualize a whole bunch of data sources, from Open Source components like Prometheus, to cloud-specific sources like Azure Monitor. In this case, if you would like to change the way you collect your data, you can easily change only that component, leaving the rest of your setup untouched.
Is there a better way of getting the support I need?
Before buying expensive contracts or licenses with the multiple vendors of the different components in your ecosystem, please consider contacting a company that loves to work with Open Source. They know your struggles, but they also know that you hired good engineers that probably want to learn how to solve those issues as well.
There are many companies in the market – of which Pionative is one – that can deliver you on-demand support when it comes to Open Source Software used in the market. In this case, such a company gives you support on your whole stack, not only the product they built themselves. No finger-pointing, but problem-solving and back to business. Who doesn’t love that?
We are Pionative and we love Open Source
 Security Through Obscurity - Is it really a bad practice? (securitytrails.com)