Most outsiders see open source as one of the things they find most hard to come to terms within the IT ecosystem: an open collaboration between individuals to create software that is made available to anyone, not necessarily at no cost.
As Richard Stallman puts it: “‘Free software’ is a matter of liberty, not price. To understand the concept, you should think of ‘free’ as in ‘free speech’, not as in ‘free beer’.”
There are most definitely costed open source software solutions available. But it is perhaps one of the last bastions of the ideals that animated the early days of the internet, when people thought that a new economic model based not solely on profit was emerging. However, it's an approach that predates the internet.
For example, the motor industry has been sharing technology and patents across the industry since the days of Henry Ford, when one patent-holder was effectively blocking the development of the industry.
Open source's role in the development value chain has been growing, and the COVID-inspired move to remote working will only exacerbate the digital transformation of businesses, and thus their dependence on open source.
According to a Gartner survey, 90% of organisations rely to some extent on open source components. Other research shows that 96% of all scanned applications contain some open source components (an average of 257 per application), and that the percent of open source in application codebases grew from 36% to 57% in just one year.
In short, taking all these figures into account reveals that typical applications comprise up to 90% of open source code. Speed and cost are two of the benefits driving this seemingly unstoppable trend.
Open source’s contribution to the speed with which an application can be developed is equally clear: using pre-built components will obviously reduce development time and will give developers more time to spend on ensuring the final product is more bug-free.
The need for speed is central to business today. The digital world values speed, and a new generation of consumers and employers are looking for ever-more personalisation and rapid responses to their requirements.
Getting an app to market is now a critical success lever, and this has spurred the Agile and DevOps movement in software development, which aims to make development more rapid and at the same time more accurate.
In the rush to get software apps up and running to take advantage of a market shift, or face off a competitive threat, speed is going to remain paramount. It's nearly impossible to build software entirely from scratch and still meet delivery deadlines that are consistently becoming more punishing.
At the same time, of course, building software from scratch will inevitably lead to higher development costs and best practice concerns.
Getting an app to market is now a critical success lever, and this has spurred the Agile and DevOps movement in software development.
It's also worth reminding oneself that, when it comes to open source, speed and cost are not the only drivers. Open source also offers organisations a way to access leading-edge capabilities early on. Some of the breakthrough ideas in software have originated in the open source world.
In addition, using prebuilt open source components means the development team can focus on the 10% of the project that will create competitive advantage.
The trend of relying more on open source looks set to dominate software development for the foreseeable future, as the internet of things, artificial intelligence and machine learning, combined with the cost-effective processing power provided by the cloud, ensure valuable insights are more accessible, and demonstrate the need to act on them rapidly.
The security conundrum
At the same time, though, CIOs and CTOs need to recognise that the very things that make open source such an essential part of their arsenal also create certain vulnerabilities. By using open source code, the organisation is exposed to a very large pool of users, as well as an increased number of exposure points.
For example, the 2014 Heartbleed security bug in the OpenSSL cryptography library showed just how devastating such a security risk can be. Similarly, the open source Apache Struts exploit resulted in over 140 million US citizens’ personal information being compromised after Equifax was hacked in September 2017, costing them an estimated $2 billion.
Nearly 88% of Java applications have at least one vulnerability in a component, something that should make everyone sit up and take note, given their ubiquity. Or, to put it another way, 76% of apps have at least one security flaw.
However, the sheer utility of open source means it will remain very much an integral part of development. What CIOs and CTOs need to do is come to grips with how to live with open source. That means putting security at the centre of the development framework.
In my next article, I will investigate how CIOs and CTOs can develop and implement a security framework that will enable them to realise the benefits of using open source without dramatically increasing risk.