About Sonatype

Sonatype in the News

Open Source Management software: riding herd on collaborative innovation

Published: November 30, 2012 12:17

With all due respect to UC systems, SharePoint and Facebook, by far the most common manifestation of collaboration in enterprise IT is the use of open source software. Products such as Linux, Firefox, and Apache aren’t just common, they’re ubiquitous: Gartner reports that “by 2016, at least 95% of IT organizations will leverage non-trivial elements of OSS technology in their mission-critical IT portfolios.”.

There are several definitions of open source software, but they agree on some key points. One is that open source is developed collaboratively: many software developers can be involved in writing, modifying and reviewing code. Open source is generally free, so it is deployed by users looking to reduce the overall cost of their IT infrastructure. And open source distributions include source code, enabling developers to develop plug-in/add-on products or modules, and/or to modify code for other purposes.

Open source software takes several forms. It serves as a platform technology for critical systems, as in the case of Linux and Apache. It can be deployed in development tools or a development environment. Open source modules can be ‘plugged in’ to larger solutions to address specific functionality requirements. Or open source products can be used directly by end-users, as is the case with Firefox, OpenOffice and the Asterisk VoIP system.

The diffusion of open source, and its appeal in specific technology areas, has led Canadian IT leaders to look at some of the business technology issues associated with open source use and deployment. Working with Barney Baldwin, head of risk technology at RBC, IT in Canada developed a series of questions about open source software management, and solicited feedback from four vendors in the open source management software space: Protecode, Black Duck Software, OpenLogic and Sonatype. We also received input from FOSSology, a project spawned by HP to analyze source code licenses. A summary of responses follows, and additional information on each company and its products can be found on IT in Canada by following the QR code or link contained in the “Want to learn more?” box below.

Building the business case: risk and security

While capability is obviously important, IT management is paid to balance the ability to create cost-effective and feature-rich solutions with the need to mitigate the potential downside of technology adoption. In our survey, we asked suppliers to address questions of risk and security.

What lawsuits or licensing issues have resulted from use of open source?

Protecode described 17 sample license infringement cases, and OpenLogic supplied a list of 14 lawsuits. Interestingly, there are only three cases common to both lists. The seminal case was a 2006 decision known as the “model train patent” case, which was said by one expert on Groklaw to “greatly bolster the efforts of the open source community to control the use of open source software according to the terms set out in open source licenses.”

In a 2007 case, the Software Freedom Law Center filed suit against Monsoon Multimedia on behalf of the developers of BusyBox, a set of utilities used in embedded systems, charging that Monsoon failed to publish source code based on BusyBox, as required in the GNU license. In 2008, the SFLC, now acting on behalf of the Free Software Foundation, filed suit against Cisco for distribution of GNU-licensed code embedded in a Linksys router. In this case, the issue originated with work performed by a subcontractor for Linksys prior to its acquisition by Cisco.

There is a common thread in the cases, and in their resolutions – that users of open source have an obligation to be aware of and to respect the open source license conditions. Black Duck’s response takes this discussion a step further, noting that open source has “evolved significantly from the early day s…when the primary focus was on license compliance and legal issues.” Today, the company says, we have moved past these issues: the market is “more interested in maximizing the development benefits – speed, flexibility and cost – of open source.”

What security issues with open source have been identified?

Security is a critical consideration for enterprise software developers, and this question elicited correspondingly-passionate responses from firms responding to our survey. Sonatype explained that the security concern is real: according to a 2012 survey of more than 2,500 developers and industry experts conducted by the company, more than 80% of typical applications are comprised of/ created with open-source components and frameworks, and security flaws that exist within core open source products are often echoed through other applications derived from the initial component.

All of the firms contacted, though, were clear in their belief that open source is less, rather than more, prone to security problems than proprietary software. Protecode stated that “Open source software is not any more vulnerable than commercial software… with open source, more people can inspect the code to find and fix possible vulnerabilities.” Sonatype echoed this observation, noting that “Open source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components. This is, at least in part, indicative of the effectiveness of broad community collaboration and active support.” Black Duck expanded on this, citing “objective studies [that] have shown that open source software is often more secure and of higher quality than commercial software…[its] defect density is 4X lower than the software industry average.” OpenLogic pointed out that “ Proprietary software has been referred to as achieving ‘security through obscurity’ but this does not mean it is secure, rather that it has not been attacked.”

How can open source management suites help users?

With guidance from RBC’s Baldwin, IT in Canada’s research uncovered many ways that open source software management products help customers to identify and address a wide range of issues: identification of security holes, tracking of third party and open source licenses through a single interface, determining the levels (project, file, library, code cut/paste) at which open source code is incorporated into applications, modification and revision tracking, identifying the need for updates connected with operating system upgrades, locating functional overlaps between (and replacement options across) custom and open source code, and providing support for related management issues and objectives, such as software metrics.

Specific vendor approaches to these issues can be accessed through the “Want to learn more?” article link. As a summary, though, each of the suppliers reviewed here offered a brief description of how they help customers to achieve specific benefits: 

  • Protecode: “Protecode products and services are designed to help reduce development costs and accelerate market introduction through managed use of off-the-shelf open source code.
  • Sonatype: “Sonatype’s products were designed to enable software development organizations to establish visibility and control in a complex and agile software supply chain.”
  • OpenLogic: “OpenLogic builds products and services to help enterprise customers successfully and safely deploy applications built using open source software. “
  • Black Duck: “Black Duck helps developers build better software, faster and for less money.”

Reviewing the responses of the four firms, one conclusion stands out: by capitalizing on collaboration at the software/software component level, IT management can deliver faster and more cost-effective support to business units that rely on IT/business collaboration to support business processes that enhance productivity within (and beyond) their organizations.

IT Canada

News Source It Canada