Open Source: The Good, Bad and Ugly — Studies in Two Extremes
Published: April 18, 2012 11:15
When top-class Open Source tools and applications (think software like Linux, Apache Web Server, PostgresSQL and PHP) went head to head against similar proprietary software, a recent survey found that Open Source bested or equaled the quality of their proprietary cousins. The Open Source community hailed these findings from Gartner and Coverity.
But think again. Things aren’t that simple in the world of Open Source. Head on over to SourceForge or Google Code and you’ll find thousands of Open Source projects. After looking at some of the Open Source options available, it’s not that hard to come to the conclusion that not all Open Source projects are created equal. Many posted Open Source projects are abandoned, incomplete, or generally not well maintained. Some companies like Black Duck Software specialize in characterizing Open Source projects, identifying the activity of the project, the licensing, and known defects.
So while the Gartner/Coverity report characterizes Open Source as often a more desirable option than proprietary software, it’s not too surprising that there may be another point of view, especially since there are so many faces to Open Source software. Another recent report, one by Sonatype and Aspect Security, for example, presents a very different picture.
In particular, Sonatype focuses on the problem of businesses that build applications out of Open Source components but don’t bother then to keep track of which components they’ve used. And, because of that, they are often unaware when vulnerabilities are found with the components that they’re using. Even if the Open Source component is fixed by the community and the vulnerability is removed in a new release of the OSS code, developers who have already used that component and have moved onto their next project may not be keeping track of components in the project that need to be updated. Tim O’Brien, writing on the Sonatype blog, call the problem “shocking”.
The Sonatype report finds that even high-profile Open Source projects like Google Web Toolkit, Spring MVC, Struts 1.X. and Hibernate have had serious vulnerabilities. As many as 50 percent of the largest corporations are estimated to be running applications that are flawed due to vulnerabilities in the Open Source components from which they were created. That guess is based on the fact that 80 percent of large companies have said that they are building applications based on Open Source components.
Jeff Williams, CEO of Aspect Security, said that “The data clearly shows that organizations consume huge numbers of vulnerable libraries. This is a wake-up call for software development organizations. While the numbers from this report are alarming, the take-away is clear — open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage.”
Andrew Aitken, Founder and Managing Partner of Olliance Group (now Black Duck Software), countered the conclusions of the Sonatype report saying that “it’s unfortunate to see this and we disagree with the tone of the study inferring that open source is low quality and risky. All software has vulnerabilities, and this study doesn’t compare open source to other code. It just says open source has ‘x’, and there have been many studies showing that OSS is higher quality than most other code.”