The OSS Fear Factor
This article originally appeared on Line 56 on December 23, 2003.
Ask a group of corporate IT leaders whether they'd rather stick their
arms into a box of tarantulas or allow open source software (OSS) on
their networks, and odds are most would start rolling up their sleeves.
In this security-conscious era, getting IT or business leaders
to consider using OSS can be a tough sell. One of the main reasons is a
perceived lack of control - or a throat to choke to put it another way.
If you purchase packaged software, you know who's responsible. If
you're using Microsoft Outlook and some knucklehead exploits a hole to
distribute a virus to your user base, all eyes turn to Redmond for a
patch. But if you're using Evolution and a similar problem occurs, to
whom do you turn for a remedy? (See Myth #4 for the answer.)
One of the appeals of OSS within the open source community is
that it is developed for the greater good rather than simply to make a
buck. Yet this egalitarian appeal is also one of its greatest barriers
to its general acceptance. In the absence of hard information, a number
of myths have sprung up which make the prospect of using open source
software for enterprise applications scarier than that box of
tarantulas. Let's examine some of these myths (and the truths about
them) in order to bring a greater understanding of OSS, and see how
your organization can benefit from it.
Myth #1 - OSS is all or nothing
There seems to be a general
belief that using OSS is an all or nothing proposition. In other words,
you have to choose between using all open source or all commercial
The truth is you can have any mix of open source and
commercial software you want in your business. You can even use OSS in
a Windows environment.
The important thing to remember is that OSS is a different
philosophy of software creation and distribution, not a completely
different technology. Most large corporations already use some form of
OSS, whether they realize it or not (see Myth #5). They've found that
OSS plays very well with others.
Myth #2 - Centralization of software development is always better
goes back to the "one throat to choke" concept. If your primary goal is
to lay blame when something goes wrong, then the statement is true. But
if you're looking for the best performance from the software, it may
Consider Darwin's oft-quoted principle of biological
diversity, which says that having more choices in the gene pool gives a
species a better chance of surviving a disaster and improving itself
more quickly. The same holds true in software. A large developer pool
around an open source software project means more ideas, with the best
rising to the top and the rest falling by the wayside. If a disaster
strikes, you have a large community working to solve it. That's the
main reason that open source software upgrades are introduced on a
weekly or monthly basis, while commercial software upgrades often take
more than a year to produce.
Some of this attitude also dates back to the early days of
software development, where the knowledge was held (and hoarded) by a
relatively small part of the population. For at least the last 10
years, children have been learning to program in middle school, or even
grade school. As those students move into the work force, they aren't
content to wait for improvements from on high. They're diving in and
creating what they need on their own. OSS gives them the means to do
Today, with the pace of change coming fast and furious, a
closed, 18-month development cycle no longer meets the needs of
business. OSS provides a solution.
Myth #3 - You get what you pay for
In America in particular,
there seems to be a prevailing attitude that free equals bad; its
corollary, of course, is that the more expensive something is, the
better it is.
Consider the realities of software development, though. A
commercial software company has a certain amount of budget allotted to
develop a product. This number is based on the number of people
assigned to the project and the amount of revenue they expect it to
bring in. Just as important is who the company assigns to the project.
If it's the signature product, you'll probably get the best talent on
it. If it's an ancillary product, you'll probably get lesser souls.
Those are the realities of business. And if the product doesn't make
money (or the company feels compelled to bring out a new version to
drive up revenues), support will dry up awfully quickly.
OSS projects pull from millions of the best minds around the
world. One of the reasons is the caliber of people who are attracted to
the open source community. They tend to be creative, independent
thinkers rather than middle-of-the-road programmers -- the type of
people who love a challenge and like to dig in deep on a problem.
No single software company has that kind of talent pool to
pull from. None. Couple that with the diversity of ideas mentioned
earlier and you have the greatest value possible. Oh, and as far as
support goes, many OSS products continue to be supported by the
community long after the originator moves on to other things. Try
finding that in the commercial world.
Myth #4 - OSS is not secure
Since everyone can see the code,
the reasoning goes, exploits are easier to find. There's only one
problem with this line of thinking: exploits are actually very
difficult to find, regardless of whether you have access to the source
code or not. If they were ever easy, the original developers would find
them during the debugging process and fix them before the software ever
Fixing exploits is the easy part. So once they're found,
having a large community working on the fix is actually to your
advantage. The adage, "Given enough eyes, all bugs are shallow"
definitely applies here.
Myth #5 - OSS is only for zealots and small companies
Consider that most of the Internet is built on OSS, and huge companies
around the world are adopting OSS at an astonishing rate. Of course in
some cases they don't realize it's OSS until long after the software
becomes part of the way the company does business. But the point is
it's proving its performance on the enterprise level every day.
Here are some facts about OSS:
- 24 percent of all Web sites are written in PHP
- 65 percent of all Web sites run on Apache
- 76 percent of all mail servers are Sendmail
- 90 percent of all domains are controlled by BIND
- 99 percent of all Web browsers are based on the original NCSA Mosaic browser
The fact is, OSS is pervasive in business, government, and
education. And it will continue to grow in popularity both as a means
of controlling IT costs and because it simply makes sense.
If you're still not convinced, here's one more reason to
consider OSS in the enterprise: you don't need to send a requisition
through six levels of approval to obtain it, because there's nothing to
approve. No purchase order is required because there's no cost to
obtain the software. You can download and use it immediately to see if
it suits your purposes. There's no "time bomb" trial period to worry
about, either, so if your priorities change you don't have to worry
that the clock is ticking. The bottom line is there's nothing to fear
from OSS but fear itself. OSS provides the tools you need to boost
productivity in a secure environment, which makes it definitely worth a
look before you commit dollars that could be better spent elsewhere.
And that beats a box of tarantulas any day of the week.