“The term open source also refers more generally to a community-based approach to creating any intellectual property (such as software) via open collaboration, inclusiveness, transparency and frequent public updates.”
— IBM.com
10 key takeaways for open source
- Open source constitutes 70% to 90% of any given piece of modern software.
- The most well-known project that helped expand the idea of open source was the creation of the Linux operating system (OS).
- Open source is free in the sense you can freely modify, share or enhance open-source software. A common phrase used in reference to open-source software is “free as in free speech, not free as in free beer.”
- The open-source principles of openness, collaboration, design-by-community and free sharing are embraced by industries from higher education and medicine to agriculture and food and beverages.
- The two basic categories of open-source licenses are permissive and copyleft.
- The Open Source Initiative, Linux Foundation and Mozilla Foundation are three of the most well-known open-source organizations.
- Some of the more well-known open-source projects are Linux, Docker, Kubernetes and, surprisingly to some, WordPress.
- Open-source security approaches include encryption, software-defined security orchestration, secure software update systems, cloud-native policy control and cloud-native runtime security programs.
- The benefits of open source include flexibility, reliability, transparency, cost savings, freedom and neutrality. The disadvantages are security issues, hidden costs, potential lack of support and usability.
- Whether open source is right for your company or enterprise depends on your company’s culture and overall goals. For organizations that have a DIY attitude and desire freedom and visibility in the tools they use, open source can be ideal.
Open source: An overview
Simply put, open-source software is licensed in a way that allows people to freely use, study, modify and distribute the software. These open-source licenses differ greatly from proprietary software licenses, where only the original owner can copy, alter or distribute the software.
While the definition of open source is straightforward and commonly accepted, the open-source concept is the subject of many debates, philosophical discussions and ethical dilemmas. And because it’s so prevalent in our modern technology infrastructure, there’s also a dark side to open source: In December 2021, a vulnerability within the Log4j software (a popular open-source Java library for logging error messages in applications) was exploited by hackers, impacting an estimated 44% of corporate networks worldwide. Experts say that number is most likely higher, as new instances are still being discovered years later.
The incident provided a cautionary, eye-opening tale on the dangers of open-source software, and showed the world just how ubiquitous open source is. It is estimated by the Linux Foundation that open source constitutes 70% to 90% of any given piece of modern software.
“Open-source software touches every corner of today’s software development ecosystem,” Henrik Plate, lead security researcher at Endor Labs Station 9, said in an earlier interview with SDxCentral. “But while the adoption of open source has steadily increased over the decades, the security of our software supply chains has long not been given the attention it requires.”
In this article, we’ll look at open source as it relates to the software and hardware industries, how open source has evolved over time, the importance of security and whether open source is the right answer for your organization.
Read more: Software supply chain attacks on the rise — is old open-source software to blame?
What does open source mean?
The term “open source” is relatively recent; it was coined in 1998. Before that point, software that we now call open source was referred to as “free software” or “freeware.” However, the word “free” had social and political connotations that made it a hot-button topic, so a group of influential free and open-source project leaders brainstormed a new name and held a vote at the April 1998 Freeware Summit event (which is now known as the Open Source Summit).
In an earlier interview for SDxCentral’s podcast, Deb Bryant (who was senior director of the open-source program office at Red Hat at the time and is now U.S. policy director of the Open Source Initiative) talked about the evolution of the open-source concept. She said the most well-known project that helped expand the idea of open source was the creation of the Linux OS.
Linux was “created by an engineer who found that the operating systems on the market tended to be very big and bloaty, and didn’t afford an opportunity to deliver exactly what he wanted. And so, created a project and asked others to join,” Bryant explained.
Around the same time as the open-source name was being debated, Eric Raymond published his seminal essay “The Cathedral and the Bazaar,” which described the two philosophies of software development. The “cathedral” represents a closed-source model where developers sit in their ivory tower, building an application hidden from the world and unveiling it when ready. In the “bazaar,” which represents the open-source model, everything is visible, transparent and much more free-flowing. The implication back then was that Microsoft represented the cathedral while Linux was the bazaar.
In the more than 20 years since, much has changed. Microsoft has embraced products of the bazaar, especially on its fast-growing Microsoft Azure platform, and development philosophies have become more hybrid. Developers and businesses have become more intelligent about how to incorporate open source into their models when appropriate and benefit from that.
Open-source libraries and software pervade cloud computing services — Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) are all powered by open source — and appear in numerous commercial products as well. Just about every enterprise software maker targeted at data centers (Oracle, IBM, Microsoft, SAP and many others) leverages Linux and other open-source components.
Monetizing open source
Open source is often associated with the word “free.” And yes, it is free. But not the way many people think. Open source is free in the sense you can freely modify, share or enhance open-source software. A common phrase used in reference to open-source software is “free as in free speech, not free as in free beer.”
Open source isn’t free in the sense it doesn’t cost anything; companies can charge for open-source systems — and they do. And yes, open-source companies make money — Red Hat, for example, is one of the largest open-source companies.
From a blog post with tips on how to get paid for your open-source software, here are several methods that companies have used to generate revenue from open source:
- Charging for custom features and support services
- Selling complementary tools and hosted services
- Paid partnerships, training and ads
- Licensing
OpenSaaS
OpenSaaS takes the software-as-a-service (SaaS) business model and adds an open-source twist by using a foundation of open-source code. Similar to regular SaaS models, a service provider hosts and maintains web-based apps. The way the service provider makes money is to offer pay-as-you-go service agreements. According to a story from McKinsey Digital, the benefits of combining SaaS, open source and serverless (their version of openSaaS) include a smaller initial investment, reduction or elimination of infrastructure and more flexible scalability.
Open core
Open core is one of the more controversial methods of monetizing open source. In this model, a company offers two products: one is a basic, limited-feature version that’s free; the other is a full-featured version (or add-ons that make a more premium product than the free one) for a commercial price.
What makes this method controversial is that some open-core companies take open-source code created by the developers’ community and create a new center of development with no intent of sharing that newly developed code back to the original community. They are, in essence, taking a free and open product, making a few changes, then making the resulting product proprietary from that point forward.
The benefits of open core include better control of client-data exposure, as it is kept on-premises, and the opportunity for more innovation from the developer community as the foundation of the open core generally stays open source. Some open-core vendors are also open-source contributors, including DataStax and GridGain.
Beyond open-source software
Open source isn’t just limited to software or even the tech industry. Its principles of openness, collaboration, design-by-community and free sharing are embraced by industries from higher education and medicine to agriculture and food and beverages.
According to Bryant, “Open source does enable adjacent technologies. So it’s not just software. Open data projects rely on both the model and the function of open-source software. One example of that, in that space, would be the Open Data Hub project that Red Hat initiated. There are open hardware projects. Arduino, which is a microcontroller project, is one.”
Open-source hardware has the design elements — such as the mechanical drawings, schematics, source code and bills of materials, as well as the software that drives the hardware — that are made available under the terms of an open-source license. In addition, the building process must involve open-source principles, including community collaboration. Some examples include the previously mentioned Arduino microcontroller platform; OpenRISC, a microprocessor family; OpenSPARC, a multicore processor from Sun Microsystems; and the Open Compute Project’s computer data center designs.
Other kinds of open-source projects include digital content, such as Wikipedia, Project Gutenberg and OpenGLAM. Medicine has several initiatives, including the Tropical Disease Initiative and OpenEMR. Even the food and beverage industry has the Free Beer project to show how open-source principles can apply to non-digital products.
Open source in RAN
Despite the prevalence of open-source technology, former senior editor of SDxCentral Matt Kapko argued that it isn’t making much of an impact in radio access networks (RAN).
He quoted Daryl Schoolar, practice leader at Omdia, who said open-source software, or free software that a vendor could download to a baseband or radio unit, doesn’t contribute to a significant portion of the RAN market. That lack of influence carries over to the open RAN environment as well, Schoolar said. “Open RAN does not equal open-source software.”
However, that may be changing as organizations such as Software Radio Systems (SRS) are embracing both open RAN (the idea of decoupling RAN software from the hardware to make it vendor agnostic) and the idea of using open-source code for its RAN software.
Open source in telecom
In the story “The telecom industry must reframe open source to give it a chance,” contributor Andreas Hegers addressed the shortcomings of open source in telecom.
“It’s no secret that open source is behind many budding disruptions across numerous industries. However, in the telecom industry the concept of ‘open source’ is a loaded one. In theory, vendor interoperability from open source should be convenient — even harmonious — with innovations being shared like recipes. Unfortunately for many, the system has not lived up to this reality.
”In this age, not only are operators and vendors clashing on everything from 5G to software-defined networking (sdn) to virtualization, but they are hashing out the basic tenets of open source in real time and with a global forum. For example, the multitude of projects and plans that use OpenStack have taken twice as long (or more) to complete. OpenStack itself has admitted to an “integration problem” where, despite obvious innovation, the end result consistently fails to reach fruition. Many in the industry blame these issues on the fact that there’s no true captain on the ship, and without a governing body to help drive the project’s roadmap, too many potential successes never materialize.“
Open source in SD-WAN
SD-WAN is another area where open source seems to be lagging. When asked if SD-WAN needs open source, Mike Fratto, senior analyst at 451 Research, said ”Needs? No.“
”However, companies that are comfortable bootstrapping software themselves, like MSPs (managed service providers) and integrators, can achieve a significant cost savings in licensing if they can use open source and, this is the important part, cost-effectively build a service around it. It’s a significant investment but can pay off after the work is done.“
Ariel Dan, CEO of Cloudify, said there are a number of SD-WAN challenge areas that openness could help. These include the lack of consistency between the sheer volume of options, that several SD-WANs don’t allow for integration with other network components, the lack of automated management for SD-WAN, vendor lock-in and high-bandwidth overhead. He said Cloudify is working on open orchestration that will help grow SD-WAN toward a more open future.
Some of these challenges suggest that SD-WAN needs a shake-up — ”I think feature-wise, the SD-WAN segment has stalled,“ Fratto said. ”Open-source projects may jump start it again if for only generating new ideas for features and capabilities.“
Frank Cittadino, former CEO of managed network service provider QOS Networks, told SDxCentral that ”open source is going to be probably the last uptick in SD-WAN because it does run such critical infrastructure at this point and the dominant buying method of these larger customers are from large manufacturers: Cisco, VMware and a couple others.“
How does open-source licensing work?
When it comes to open-source licensing, the term ”free and open-source software (FOSS)“ is frequently used. It means that the license recipient has the right to use the software and examine, modify and distribute the source code. This is different from proprietary software licensing, where the copyright holder maintains control over a software program and its associated source code.
There are open-source licenses that cover hardware, infrastructure, drinks, books and music.
According to Wikipedia, there are two broad categories of open-source licenses, permissive and copyleft. Permissive licenses allow modification and distribution with certain conditions, which usually include crediting the original authors and a warranty disclaimer. Copyleft licenses also allow modification and distribution, and require attributions and warranty disclaimers. The difference is that copyleft licenses require reciprocity: derivative works must also be distributed with the source code.
There are more than 1,400 unique open-source licenses. Some of the more popular include the following:
- Apache License
- BSD License
- GNU General Public License
- GNU Lesser General Public License
- MIT License
- Mozilla Public License
This sheer amount of open-source licenses is a negative aspect of the open-source movement because it’s hard to understand the legal implications and sometimes minor nuances between them.
What are the leading open-source foundations?
Open-source foundations and organizations support open-source users. They offer a variety of services and support including maintaining definitions, promoting open-source adoption and building open-source communities.
Notable groups include the following:
- The OpenStack Foundation, which promotes the global development and adoption of the OpenStack cloud operating system.
- The Linux Foundation, founded in 2000, which sponsors the work of Linux creator Linus Torvalds and is supported by developers around the world.
- The Mozilla Foundation, a group dedicated to the idea that the internet must remain accessible and open for everyone. The Foundation is also the sole shareholder in the Mozilla Corporation, which makes the Firefox browser and other open-source tools.
- The Apache Software Foundation, which provides legal and financial support to open-source software projects.
There are also two major advocacy organizations for the open-source developer community: the Open Source Initiative and the Free Software Foundation. Both nonprofit organizations advocate for software freedom. However, they differ in that the Open Source Initiative focuses specifically on defining open source and ensuring open source licenses follow specific guidelines. The Free Software Foundation, on the other hand, believes that open source doesn’t go far enough and focuses on its own definition for free software. It also maintains a directory of free software packages, a listing of free GNU/Linux operating system distributions and a directory of software developers offering their ”free software services for hire.“
Example of top open-source projects?
Some of the most commonly known open-source software are:
- Linux, the most used and perhaps best known open-source operating system.
- Docker, a tool for creating, deploying and running applications with containers.
- Kubernetes, originally created by Google, is a container management tool.
- WordPress, though not often acknowledged as open-source software, is perhaps one of the biggest open-source success stories. In 2023, WordPress powered 43.1% of all active websites.
- Mattermost, providing secure collaboration for technical and operational teams in high-trust organizations, is designed to increase agility, efficiency and innovation while keeping data and operations under IT control.
- Syncthing is a continuous file synchronization program that synchronizes files between two or more computers in real time and is encrypted for privacy.
- OPNsense bills itself as ”an open-source, easy-to-use and easy-to-build FreeBSD-based firewall and routing platform.“ The security platform features forward-caching proxy, traffic shaping, intrusion detection and easy OpenVPN client setup.
For a list of other open-source projects, go to the SDxCentral open-source directory.
Open source and security
Open-source security approaches enable organizations to secure their applications and networks while avoiding expensive proprietary security offerings. Some approaches include encryption, software-defined security orchestration, secure software update systems, cloud-native policy control and cloud-native runtime security programs.
Read more: What are open-source security approaches?
There’s a misconception that because open-source software is built by communities, that makes it potentially easier for hackers or malicious actors to get into an open-source community and insert malicious code into the software project.
When asked about it, the Open Source Initiative’s Bryant said, ”I want to be clear that it’s a common misconception that because a project is open, then anyone can contribute and have their code introduced into the code base.
“There’s a very formal process for code to be accepted into the base that then gets shipped and released,” she explained. “So I just want to be clear, no one can sneak in and toss some things in. There’s also the value of having many people involved in a project; you know the expression — many eyeballs.”
Any software, proprietary or not, can develop problems and risk factors. The general difference with open source is the developers tend to be open and transparent about newly discovered vulnerabilities. Also, when security vulnerabilities do emerge with open-source software, the community is usually very quick to find a fix and make it available to whoever needs it.
Open source pros and cons
Pros
The benefits of open source are worthwhile — flexibility, reliability, transparency, cost savings, freedom and neutrality. Many companies are looking for flexibility and reduced vendor lock-in. So, if they make a decision today and place a bet on an open-source technology, they don’t have to keep living with a platform or a contract that doesn’t serve their purposes just to recover their investment.
Another reason to employ open-source software is reliability. Because open source is peer reviewed by thousands of developers, it’s always improving and less likely to experience major bugs or flaws. For example, if there is a bug or flaw in proprietary or closed-source software, there are only a few sets of eyes on the code and a few ideas for the solution. In contrast, with open source, you have hundreds, or thousands, of eyes on the code — just by sheer number of people, the flaw will get identified and resolved quicker. This means less disruption for the end user or your enterprise.
Open source also allows for increased transparency. The underlying algorithms are accessible, allowing deep transparency into processes. With this level of transparency, users know what they are getting — there are no hidden functions or limitations, only the ability to adapt the software to your needs. This is particularly relevant in the public sector, as the government relies more and more on technology to regulate industries or deliver services. With open source, citizens can see what software is making decisions and the input of multiple developers can help ensure it’s fair.
Open-source users have the freedom to modify and adapt software to fit their business needs. Unlike commercial software, where users have to abide by specific limits or requirements, open-source software users have absolute flexibility and freedom.
Cons
Open source, much like anything else, also comes with its share of downsides. Security issues, hidden costs, potential lack of support and usability are all risks that open-source users may face.
As with proprietary or closed-source software, security remains a top challenge. A 2023 Synopsys report on open source found that 84% of the 1,546 reviewed commercial codebases contained at least one open-source vulnerability — and nearly half (48%) contained high-risk vulnerabilities.
The report also showed 91% of codebases contained open-source code that had zero development over the past two years. This means a majority of codebases contain open source with no new features, functionality or, most importantly, security updates.
However, the story “Software supply chain attacks on the rise — is old open source software to blame?” revealed that the biggest issue with open-source software security isn’t that fixes aren’t available — the issue is that patches aren’t being applied in a timely manner.
According to that story, “One particular example, cited by Stephen Magill, VP of product innovation at Sonatype, is that of the infamous Log4j open-source project. Log4j is an open-source logging component that is widely used by many applications and back in 2021 a particularly nasty set of vulnerabilities were publicly disclosed. Even though publicly available fully patched versions of Log4j have been around since 2021, in 2023 Sonatype is still seeing a large number of users and organizations downloading and using vulnerable versions of Log4j.”
Hidden costs and lack of expert support can also be an issue for organizations using open source. While the upfront cost may be free or inexpensive, customizing the software or product to your specific needs, adding premium features and maintaining it can all add up. Most open-source communities are great, but they are volunteers. If you have a problem that needs immediate attention, you may need to resolve it in-house or hire someone to fix it.
While commercial software offers troubleshooting assistance and support, there are rarely any professionally designed user manuals, tutorials or expert support with open-source software. Although community support exists, the support isn’t guaranteed when you need it, or at all.
And finally, usability can be an issue with open-source software. While most commercial software companies employ user experience (UX) specialists to ensure their products are user friendly, open-source projects don’t always have that luxury.
Is open source right for your company or enterprise?
Only your company can know whether open source or proprietary is the right choice for it. Open-source software, specifically, can be lower cost, is community-sourced and offers greater visibility and freedom into the source code. However, open source is not recommended if those arguments aren’t enough to overcome resistance based on wanting to use specific brands. It’s also not recommended if a DIY mindset is not part of your corporate culture.
While not necessarily free of cost, open-source software is still generally cost effective. According to the Linux Foundation, enterprises can save between 20% and 55% with open-source software versus commercial solutions.
Open-source software is community-validated and results from testing that is ongoing, with many contributors coming from different backgrounds and with different angles in mind all offering valuable perspectives.
Interacting with the open-source community offers great visibility into where software capabilities are emerging from. It’s often a deeper level of visibility than an enterprise might have when dealing with a single vendor that guards the origins of its proprietary software.
An enterprise adopting open-source solutions does not have to deal with vendor lock-in, and gains the flexibility to adopt best-of-breed solutions and move as quickly or as slowly as they need to when implementing them.
On the other hand, open source is not to everyone’s tastes. Companies with more closed IT mindsets or preferences for certain software brands may not want to take the open-source path.
It also may not be for companies that do not envision themselves engaging with or contributing to open-source communities on a broader, ongoing basis, which is how open-source communities retain and create new value. Integrating different open-source solutions also can be challenging, although there are partners that can help.
At the end of the day, open source is an option that every enterprise should at least evaluate.
Synonyms, acronyms, abbreviations
- Open source
- Open-source
- Open source software
- OSS
- OSS software
- Open standard
- Shared source
- Open security
- Source-available software
- Open implementation