Cloud Source
Showing results for 
Search instead for 
Do you mean 

Open Source does not stop you from doing your homework

on ‎04-28-2014 05:47 AM

open-source.jpgOver the last couple weeks, the word Heartbleed has been on everybody’s lips. And it has quickly become an argument against Open Source. You see, the Open Source community is unable to write software that is security proof. I’m not a security specialist, so won’t drive into the intricacies of how and why this happened, but I’d like to share with you some of my thoughts about using Open Source software, and what you should do if you start using such software.


First, let me remind you that security loopholes are not an exclusivity of Open Source software. Some very well-known software providers often release patches for their software. Some are regulars. Ever heard the “patch Tuesday” phrase? I actually rather feel the Open Source community does not have a lot of security incidents that are reported.


The difference between the development process in the Open Source and the commercial world boils down to the fact the developers are not all part of the same company. They are a community of people that put their experience, their skills and their knowledge together to achieve a common objective, the development of a piece of code. Ultimately the same precautions apply.


So, what should you do if you want to use a specific Open Source software? Fundamentally two things.


Understand the governance process

One of the big advantages of most Open Source communities is that they are quite transparent. Everything they do is documented. OK, it’s not always that easy to find and/or understand what they mean, but you can get the information. Take the time to find the information, go through it and try understanding what it mean and if you are comfortable with what they have put in place.


There are a number of elements to look at:

  • Which organizations support the community? Are they funding it and if the answer is yes, how? Look for a foundation or another not for profit structure and understand who is behind it. Let’s take the example of the OpenSSL software foundation. It used to run on a shoestring budget and required heartbleed to get proper funding. At the other end of the spectrum, look at the structure set-up by the OpenStack Foundation.
  • Understand how functionality is decided. How does the community agree on what additional functionality is developed, who does it and how is it integrated in the overall activities? Is there a technical committee that looks at the implications of decisions to the software architecture, it’s testing and releases. To stick with OpenStack for a minute, the technical committee members define and steward the technical direction of OpenStack software, including cross-program issues. The committee of 13 is fully elected by the project’s Active Technical Contributors.
  • Understand how contributors can contribute to the process. Let me take OpenStack as an example again. A well-documented page describes how you can contribute. If you have coded a functionality, you first need to go through peer review. Only when that is done, your contribution is added for testing. Thorough testing takes place and only if you pass that testing is your contribution included in the software. That may not resolve everything, but actually already guarantees many issues are addressed. Also look at the other roles that the OpenStack team employs.

Ultimately, get to know who contributes to the development of the open source software you want to use. Make sure you feel confident they do a professional job. Be comfortable with what you read, as there is nobody you can turn to if things get ugly.


Perform your own security tests

Now you’re ready to use the software you have been looking at. Before you do that, run your own tests. In particular, you may want to scan the software for potential security holes. Perform static and dynamic application security testing, source and object code.


This is a big difference compared to what you do with commercial software. You have nobody to turn to, so make sure you do your homework before you take things in production.

You may also want to think about contributing to the Open Source community that develops the software you’re interested in so you get in contact with the other contributors, understanding better how the software is constructed and where you may have to pay attention.


Don’t forget to look at the licensing

There are many different flavors of Open Source software licenses and the one under which the software you look for is released may have implications on what you can do with it. You can find the list of the most popular open source licensing agreements here. They are not all equal. Let me give you a simple example:

  • GPL aims to protect freedom by forcing freedom upon anyone else who uses GPL. If you write GPL code, all the derivatives will be GPL and you'll always be able to reap the benefits of others' work based on your work.
  • BSD folks see it differently - freedom implies the freedom to allow others to take my code and do whatever they want. If I write BSD code, someone can derive and build something else - but this derivative work may not be shown to the world. The derivator will be the sole benefactor, they took other people's contributions but did not give anything back.

So make sure you understand what you are getting into when deciding to use Open Source code.



You pay for commercial software. Open Source software typically comes for free. So, it’s a winning proposition for many companies. However, do your homework, don’t just try to save money, because with Open Source software you are the sole responsible. Sure you can typically get support from the community, but you cannot turn to the provider for compensation in case of issues. So make sure you keep that in mind when taking your decision.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all