CIOs often welcome the use of open source code within their IT shops, as its use can save both time and money....
But open source is not without its challenges -- challenges that are going up as the amount of open source code rises within the enterprise.
Consider this: The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis analyzed more than 1,100 commercial codebases and found open source components in 96% of applications scanned, with an average of 257 open source components per application. Moreover, the average percentage of open source codebase increased to 57%, up from 36% in 2017.
Several IT and open source experts said they, too, have seen this trend, but they also noted that many organizations continue to struggle with open source software problems and how to best manage their adoption and use of OSS.
"Companies are still ramping up their governance processes," said Paul Welty, associate vice president of technology at global consulting firm North Highland.
Here, experts highlight five common open source software problems and how they should be handled.
1. Not knowing your sources
The ease of getting and using open source is a huge part of its appeal, but it can also cause headaches for IT executives who don't develop and enforce strong policies about when and what open source is allowed for enterprise use.
"Most companies don't really know what open source they're using today, and that's a problem," said Paul Chandler, an attorney at international law firm Mayer Brown. "If you don't know what open source is in your ecosystem or product portfolio, how do you know what vulnerabilities you might have and what patches to look for?"
Mark Drivervice president, Gartner
He said CIOs should employ scanning tools to find the open source code running in their organizations. This includes requiring their commercial software vendors to disclose any open source code used in their products -- and to require those vendors to assume the risks and responsibility associated with open source.
"The procurement contracts have to be open source savvy and they need to anticipate that open source products will come through commercial products and provide protections for the company against the risks," Chandler said.
Additionally, he said CIOs should create a strategy that establishes when open source software can be used and under what circumstances. The program must have ways to vet open source for security and license concerns based on enterprise needs and must establish governance systems that determine who is responsible for managing and maintaining the OSS within the enterprise.
2. Glossing over license rules and requirements
The Open Source Initiative, a nonprofit that promotes open source software, lists the 80 or so open source licenses it has approved, all of which come with individual rules and requirements. Organizations using OSS need to understand what the license rules and requirements mean for them.
"Even though open source is free, it comes with many strings attached," said Robert Kriss, a partner at Mayer Brown, whose practice focuses in part on resolving disputes involving IT outsourcing, software development, cybersecurity and e-commerce.
These license requirements can be technically complex; some licenses require developers to share any changes they make to the source code, while others do not. Some have patent retaliation restrictions. Others impact whether the open source software can be used in products for commercial sale. Moreover, developers using more than one OSS in a product could find the license terms for one open source component contradicts the licenses terms associated with another.
"Companies have real headaches trying to comply with license terms, partly because the terms aren't always clear," Kriss said. "But the bottom line is that there are risks depending on the language of the licenses and you have to read the licenses to know to know what risks you're facing."
3. Underestimating cost of open source software
A major appeal of OSS is acquiring code without paying anyone for it. But the absence of an invoice from a vendor doesn't mean open source comes without costs.
Mark Driver, vice president and research director at Gartner, said organizations often fail to calculate the total cost of ownership for the open source software they opt to use.
Moreover, organizations underestimate the time commitment necessary for staff to maintain open source code and manage any open source software problems.
"Many organizations will choose the noncommercial route because they think they're getting the biggest bang for the buck, thinking they're just going to use internal resources to do day-to-day [maintenance work]," Driver said. "But it's very easy to obfuscate or to lose the ability to actually know how much you're spending when it's just people's time."
To avoid this, Driver said IT needs to establish the service levels required for open source code used in applications, factoring in the criticality of those applications.
With that, IT can determine the cost of adequately supporting open source code, the costs related to potential application failures associated with that code and whether that net cost beats the commercial alternatives.
"We're starting to see unbridled enthusiasm for open source, but that's not how you run a business. You have to take a sober look at the value of it," Driver said.
4. Skimping on usability
Developers are using OSS to quickly deliver the features and functions demanded by users in their applications, but Michael Fauscette, chief research officer at G2 Crowd Inc., said developers need to consider if open source delivers the same level of usability as a commercial product.
Usability issues are a bigger concern when an enterprise opts for an open source product in lieu of using open source code as part of the development of a finished product, he explained. However, even when open source software is only part of a larger application, it can still make a particular feature or function significantly less user-friendly.
Developers don't have to automatically forgo the open source option in those cases, Fauscette said, but they should weigh whether the benefits of open source outweigh the limited usability. "There's much less tolerance from employees today to use something that isn't easy to use," he added.
5. Failing to manage and maintain the open source portfolio
Open source has no primary vendor releasing software updates or pushing system patches. Theoretically, experienced developers know they're on the hook to seek out updates to the open source software they have in production, yet often fail to do so.
"Open source assets tend to be widely undermanaged within IT portfolios," Driver said.
Tech executives need to implement governance programs that ensure their teams adequately manage the OSS they have running. That program must include a process to find, review and test software updates to ascertain if they're secure and will work in the enterprise environment.
Driver said he advises tech leaders to establish a multi-tiered system of management, with OSS running in mission-critical applications getting the most rigorous level of service.
Though a daunting task, shirking management of open source software problems can be catastrophic. Welty pointed to the 2017 Equifax data breach, where Equifax acknowledged that hackers exploited a known vulnerability in an open source code, a vulnerability that the Apache Software Foundation had already identified and offered a patch to correct.
"You have to have a process to monitor and bring in updates," Welty said, adding that the management process must incorporate the fact that open source updates and patches come on an irregular schedule and should be rapidly and constantly addressed.