Open Source Software is Secure and Mature

I am creating this page to counter the numerous outdated myths about open source software. Again I will state that no software is bug free or perfect, but I will also strongly state that open source is as mature and secure, or often more so, than proprietary software.

Gartner (from https://www.ibm.com/developerworks/community/blogs/PragmaticOpenComputing/entry/gartner_80_of_commercial_apps?lang=en): “By 2012, 80 per cent of all commercial software will include elements of open-source technology,” Gartner wrote in a report. “Many open-source technologies are mature, stable and well supported. They provide significant opportunities for vendors and users to lower their total cost of ownership and increase returns on investment. Ignoring this will put companies at a serious competitive disadvantage. Embedded open-source strategies will become the minimal level of investment that most large software vendors will find necessary to maintain competitive advantages during the next five years.”

Security:

We see weekly reports of security vulnerabilities with Microsoft, Adobe, Oracle Java, etc. It is also true that FOSS in the same way is being tested BUT a key difference is that the source code can be examined with FOSS so more eyes will normally be able to find any issues more transparently. Also as an organisation using the software you really can’t see what you are getting with proprietary software, but with FOSS you can scan the code and see how it deals with your data. And on the topic of data, your data is as safe (or more so) with FOSS than as with proprietary software. There is nothing wrong (or insecure) about seeing the source code. Your data’s safety depends on where you host it no matter what software you are using. As far as websites go the numerous government websites that use Drupal would certainly not be using it if it was inherently insecure. My only consideration with FOSS would be how widely the product is being used and how active is their community as this determines the creditability as well as the degree of support.

Maturity:

Maturity again depends upon upon the size and nature of the user base along with the activity of the support community. Maturity is important (as it is to realise that not every flashy box on a shop shelf is mature or even well supported) but I again strongly feel that where a FOSS product is mature and well supported, it should be given strong first consideration because it will also offer flexibility, options for local economic investment, prevent vendor lock-in, etc. It would be ideal to see TCO and user requirements measured equally between proprietary and FOSS solutions, but we would be very naive to think that this has been happening over even the last 5 years as mostly proprietary software is considered. I can speak from personal experience when I say that it is vendors who spend money and time lobbying their proprietary solutions to governments and corporates, and who attempt to influence the “user requirements”. I can’t say that those proprietary solutions are not the best solutions BUT were any FOSS solutions given serious consideration? I can say in 99% of the cases that no they were not…. and yet a mature FOSS solution offers far more benefits. It was quite interesting for me to see one such level playing field for a web content management system where a government department evaluated the top 5 Gartner proprietary solutions against 5 FOSS solutions… and a FOSS solution won across all the measurement criteria (I know because I participated in the evaluation) and the FOSS solution was in fact selected. But if this same department had advertised a traditional tender I do expect they would have been paying millions of Rands now for a proprietary solution. Don’t get me wrong about vendors and companies… they will provide whatever government or corporates will pay for. This too I have seen where one company had skilled themselves up on a proprietary as well as a FOSS solution in case government asked for FOSS. Many mature products (I’m thinking specifically of Red Hat Linux, Ubuntu Linux, SuSe Linux, JBoss, MySQL, OpenOffice, Zimbra, etc) have established training courses and certification, partners who provide support contracts, training manuals, etc. See also the US DoD document: Use of Free and Open Source Software (FOSS) in the US Department of Defense 2003. A bit dated that they focus specifically on how to identify secure and mature FOSS software. The picture has already dramatically improved since 2003 but the grounding and theory are still fully relevant. A key conclusion was: “The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized” and more specifically “Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks”.

Innovation:

FOSS projects have a very transparent way of receiving requests for improvement and the community votes usually on the priority to tackle them. Just like with proprietary solutions, where there is a paid support contract, or sometimes the proposer will even bid an amount for the improvement, these can be done much quicker. I have seen suggestions we made to the Zimbra project (where my company has paid support) and those suggestions were implemented in the following upgrade we received. FOSS projects draw suggestions, as well as software coders, from all walks of life and all across the world which results in all sorts of innovation including mobile device support, and as new devices hit the market these are often supported as well. You have no voting rights whatsoever with a proprietary company…. Again the size and maturity of a FOSS project will give a good indication of what sort of support and innovation will be provided.

Open Standards and Vendor Lock-In:

Again the very nature of FOSS projects means that the risk is spread across many developers and that they want to inter-connect with other projects, data exchange, etc. A FOSS project will usually be built on open standards unless none exist (and if not, the standard will be well documented). The philosophy behind FOSS is all about sharing and interoperating with other systems. Sharing the source code, and not sharing your private data. So they are usually very good fits for governments that endorse international open standards. The nature of open code and open standards being used means no one vendor can lay claim to them or hold the client ransom which means better competition and pricing. Because they are open it is easy for any new vendor to also see exactly what they are supporting. Openness means lower barrier to entry and better ease of entry for SMMEs to get involved. This is ideal for an SMME in a rural area where their support expertise is what will be paid for by a corporate or government department. Open standards also means that your data is stored in a format that will likely be supported in the distant future, or even by a competitor’s solution. With proprietary companies they often will try punt their own format to you knowing that no-one else can support it… what happens when that vendor is out of business in 5 to 10 years (if you doubt this ask where Samna, WordPerfect, Lotus 123, etc are today… all big proprietary companies).

Local Economic Investment:

Unless you have the in-house skills FOSS will not be free for the non-commodity (complex) solutions. These are complex solutions requiring training, customisation, change control, etc to implement. As with proprietary solutions you will always pay a vendor to do this part of the support BUT the difference is that 100% of that money could be going to the local vendor (with full local tax being earned and paid on the money). There need not be millions of Dollars flowing out of your country to Ireland (where the “sweetener” is a kick-back in the form of a digital village or 20 tablets for a local school). With some FOSS solutions (Zimbra for example) there is an option to buy a support contract BUT that pricing is far cheaper and more flexible than their proprietary competition ie. Zimbra is paid per server irrespective of the number of users whilst the competitor is per user mailbox… also bear in mind that Zimbra could have a cluster of 5 central servers supporting 3000+ users whilst the competitor often requires mailbox servers located physically at each large site). The mistake made often with FOSS is that corporates or governments try do it completely for free and it fails – training, process changes, advocacy, etc are important and this is traditionally what proprietary vendors insist on. So use of open source software does not let vendors all starve… the training, support services, change management, etc must still be done and paid for and businesses will still thrive and grow (especially your local businesses). An area where many of these companies get involved is also with translation and regionalisation of open source solutions – many open source solutions are already available in 10 or more languages. So you may ask with all these advantages and common sense behind open source software, why is everyone not using it? Good question and I can say the answer is not that the software is no good. It is partly because you are reading this page and others have not, and also because there are proprietary companies pushing their own product for maximum profit of their own shareholders…. in essence ignorance and marketing! We just have to look at what happened with Android, Apple iOS and Microsoft’s Windows mobile on the mobile platform… open source is by far the leader and growing stronger every day on the mobile platform. Users have also realised that you do not need to use the same mobile OS as your desktop OS to be productive – you can use an iPad with a Windows desktop. Think now if we properly supported open standards… you could use anything with anything! You could freely choose to use an Apple Mac with say a Blackberry tablet… this is the way it should (and will) be. So yes open standards are actually far more important than just open source software… it is just that open source software does very much openly embrace open standards. If you are reading this web page right now you are using open source software… much of the Internet runs on open source from the routers and switches to this website which runs on a Linux server using WordPress software (all I pay for is the hosting service).

So Who Uses Open Source Software?:

Well actually this is very interesting as the small sample below includes some very large, innovative, security conscious companies and government departments covering not only desktops but also graphics design, network management, cloud storage, education, government, security, health, document management, messaging, business intelligence, PABXs, and most other areas you can imagine (see also my full list of categorised open source software):

  • Deutsche-Pos
  • Electronic Arts
  • European Astronomy Space Centre
  • Fujitsu
  • Industrial & Commercial Bank of China
  • NASA (you don’t get more mission critical than NASA)
  • NetApp
  • Nokia Siemens Networks
  • Puma
  • Sony
  • TrendMicro
  • US department of Agriculture
  • US Department of Defense (DoD)
  • US Food and Drug Administration
  • Orange in UK
  • France Telecom
  • Best Buy
  • CERN
  • PayPal
  • Cisco WebEx
  • Intel
  • HP
  • Samsung
  • Radio Africa Group in Kenya
  • Barclays Bank
  • RackSpace
  • AT&T
  • San Diego Supercomputer Center
  • Google
  • Yahoo!
  • Johannesburg Stock Exchange
  • New York Stock Exchange
  • London Stock Exchange
  • Oracle
  • IBM
  • Facebook
  • Wikipedia
  • Amazon.com
  • US White House (who made their website software open source)
  • Polish Government
  • European Union Parliament
  • NATO is using ODF for documents
  • Philippines Government Spain’s Ministry of Industry, Tourism and Energy
  • Spain’s Region of Extremadura
  • Swedish Government
  • Denmark Government
  • Netherlands Government
  • Hungarian Government
  • Swedish Government\Belgian Government
  • Swiss Government
  • Limerick City Council
  • City of Garden Grove
  • City of Munich
  • Portuguese Municipality of Vieira do Minho
  • UK Government
  • Italy’s South Tyrol Province
  • Italian City of Bari
  • Italian City of Genoa
  • Canary Islands
  • Chinese Government – Ubuntu Linux
  • Kenyan Government
  • South African Government
  • State Information Technology Agency in South Africa
  • CSIR in South Africa
  • Apple (see http://www.apple.com/opensource/)
  • University of Cape Town (UCT)
  • University of South Africa (UNISA)
  • North-West University in South Africa
  • Oxford University Cambridge
  • University Stanford University in the USA
  • Nagios network management software for example is used by an estimated 250,000 users worldwide including Amazon.com, 3Com, AT&T, Google, IBM, Verisign, Symantec, etc.
  • In fact of the 517 organisations that Gartner surveyed more than 50% were using open source software, up from only 10% five yeras before that (see http://readwrite.com/2011/03/07/most-organizations-now-use-ope#awesm=~o9CzrACJ489cre)