The Open Source Security Primer
Open source software is both tempting and terrifying for many small to mid-size business owners. Tempting because it’s cheap up front and comes without those licensing fees. Terrifying because of the perception that it’s easier to hack.
“There’s absolutely no evidence that open source is any less secure than commercially licensed software,” says Michael Goulde, a senior analyst from Forrester Research, who estimates 55-60 percent of all businesses use at least some open source software.
Goulde goes on to dispel the two most popular concerns about open source software:
- Anyone can look at the source code. The worry here is that “anyone” can be any hacker who wants to wreak havoc. “Bad eyes can see the code, but good eyes can see it, too. If a vulnerability is found, then there’s a whole community of developers literally all over the world to fix it. It’s essentially under peer review,” says Goulde.
- It’s written by amateurs who don’t care about security. Goulde says that used to be true, but with the more established applications that is hardly the case anymore. Most open source developers are professionals with some even employed by the likes of IBM, Hewlett-Packard, and Sun Microsystems.
One size doesn't fit all
"Open source is a very broad area. You can't make a single judgement about it. Some areas of applications are quite mature, while others are not," says Yefem Natis, a distinguished analyst from Gartner, a Stamford, Conn. IT research group.
Natis advises business owners to be more cautious when it comes to open source applications like portals and business tools such as business process management (BPM), customer relationship management (CRM), and enterprise resource planning (ERP) systems. Operating systems and application servers, on the other hand, are more established and safer to use.
Goulde, however, is less cautious and even sees open source as a unique opportunity for many small to mid-size businesses. “The amount of functionality you get from the open source versions of these technologies, like CRM, ERP, and BPM tools, is just right for many small to mid-size businesses. And, it’s affordable. Similar products that are commercially licensed are more likely to be priced beyond their reach,” says Goulde.
The argument for open source safety
For all the debate, a business owner has to wonder why not just play it safe and stick with the commercially licensed software. Here are some of the advantages of open source applications that may make it too tempting to pass up:
- It’s cheap. Not having to pay licensing fees can obviously be a huge savings. Don’t forget, however, it still has to be maintained. Open source is not completely free!
- It’s easier to integrate with other applications. Open source is written to support standards, rather than proprietary code (like Microsoft applications written to support other Microsoft applications, for example). This means fewer headaches combining it with other products from a mixture of vendors.
- It’s easier to get serviced. Since the code is freely available, there are more businesses and consultants around to help with service and maintenance. More choices mean more competition to get your service contract. More competition, of course, means a cheaper service contract.
- More innovation. Since its open source, there’s an open field of developers working on new versions with new features. This can mean both more innovation and more interesting innovations.
How to play it safe
Feeling more tempted than terrified? Here’s what a business can do to take the open source plunge with minimal risk:
- Know where the software is coming from. There are often many, many places to download these applications. Companies need to verify the source as reputable and safe. Always check references.
- Use a consultant. This is especially important for most small to mid-size businesses with little or no in-house IT staff. Its money well spent to hire someone who knows the most established applications, their best download sources and how to install them. At the very least, work through a reseller who can guarantee the source of the software.
- Plan on having ongoing support. “Open source is often in a more raw form, compared to commercially licensed software. Therefore, it requires more expertise to fine tune it to make it work with the business," Natis says. "Support is a must.”
For those businesses still feeling more terrified than tempted, here are some final unsettling words from Natis: “Open source is so widespread nowadays, some businesses are already using it bundled into other products without knowing it.”