Thoughts on the state of enterprise open source
“Open source is bad since it’s full of security vulnerabilities, unmaintained dependencies and poor documentation,” said this security vendor as they began their opening speech before delving into their product that offered open source dependency management and risk audits. As they started their demonstration, I could instantly acknowledge the irony. The product that was demonstrated was merely a re-skinned version of Dependency Track, an open source software that offered this capability. To be honest, they also demonstrated some vulnerability management capabilities which looked quite like another open source product called DefectDojo.
Security vendors aren’t alone in doing such false marketing. We live in a world where cloud providers claim open source is not scalable and enterprise ready before offering the same product as a cloud service with a different marketing name. (Hey AWS!). The VC community loves pouring money into startups that offer Enterprise Kubernetes platform, Enterprise Elasticsearch hosting, Enterprise log management all powered by free open source products.
In this blog, I wanted to share my personal thoughts on the state of enterprise open source. There will be some bias in this post.
- ShiftLeft is a major enterprise open source security company with over 60% of our technology available as free and open source under a permissible license
- I have authored and continue to contribute to many open source projects you might be familiar with
- Data gathered for this blog came from an open source friendly organization — RedHat (IBM)
Open source and enterprise open source are critical for any business
Any indie developer can offer open source tools and libraries that offer some interesting functionality. Once an open source project gets broader adoption it will become rather difficult to develop and sustain the project alone without the backing of either the community or an enterprise. Enterprise open source projects such as ShiftLeft Scan and Joern alleviate this risk by adopting the same development and quality assurance process for both open source and commercial products.
RedHat, in their state of enterprise open source report 2020, found that over 75% of all organizations agreed about the importance of such enterprise open source.
This usage is only going to grow higher since the current and expected use of proprietary software is continuously on the decline.
Open source is important for security and cloud
More than half the number of organizations globally use enterprise open source products for security and cloud, according to RedHat’s research.
This may surprise some people because security products often touted as leaders in a popular 2×2 matrix are proprietary products. I believe that the answer to this conundrum has been provided by one of the leaders in application security. This vendor found that while organizations procured their product and services for top dollar the actual usage of the product by DevOps teams was in single digit per year (Was it like 4 scans per year?). So yes, this commercial provider is a leader in revenue, but in terms of usage and importance enterprise open source wins that are not reflected clearly in 2×2 matrices!
Even free open source has barriers
The main barrier for open source adoption is the security of the code. This barrier is partly psychological (people prefer to close and lock their door even in a safe neighborhood — so they assume that closed source is more secure than open source) and partly because of inherent risks posed by poor development and release management process adopted by particular open source projects.
There are a few things open source projects could do to address security and support concern.
- Use security scanning products and proudly share the reports with your open source projects. Products like ShiftLeft Scan can be effortlessly integrated into GitHub Code scanning and GitHub actions and other CI tools. We publish these security reports for our enterprise open source projects too.
- Improve documentation by making use of excellent documentation generation tools such as Docsy + Hugo, GitHub pages along with mini screencast gifs and working examples. At ShiftLeft, we regularly see more traffic to our documentation sites slscan.io and joern.io than their equivalent marketing pages.
Open source is for everyone
RedHat’s research attributes open source to innovative businesses and to being innovative.
This is an argument I disagree with.
Solving customer pain points and needs is more important for a business than pure innovation. The world doesn’t need a touchscreen Alexa bread toaster!
At ShiftLeft, while we are quite excited about deno.land and Rust, we usually see more critical and important applications developed in either a JVM based language like Java or Scala or .Net core.
Despite the importance of open source there are barriers and security concerns that need to be addressed by the community and enterprise open source vendors alike. Fortunately, the tools for dealing with the barriers are also available as open source in the form of security scanning and documentation generator tools.
Interested in a free evaluation of your organization’s open source strategy and security posture? Don’t hesitate to contact us.
Thoughts on the state of enterprise open source was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Prabhu Subramanian. Read the original post at: https://blog.shiftleft.io/thoughts-on-the-state-of-enterprise-open-source-4decc621ef59?source=rss----86a4f941c7da---4