Assessing the risks of open source

Discussions

News: Assessing the risks of open source

  1. Assessing the risks of open source (33 messages)

    A recent metagroup article analyzes the risks and benefits of open source, focusing on its uses in the J2EE context. The article makes predictions including open-source software adoption in all java-shops by 2003, 14% of which to use OS appservers. They also say that the line between open source vendors (with profitable business models) and commercial vendors with free products will blur.

    Read Assessing the risks of open source.

    Threaded Messages (33)

  2. Assessing the risks of open source[ Go to top ]

    I liked the big Websphere add that I got right in the middle of the article.
  3. Assessing the risks of open source[ Go to top ]

    Now it's a Sybase ad. Its a conspiracy! :)
  4. It looks like the main "risk" the article addresses is security. Specifically, what security risks are introduced by using OSS in a project. It concludes that OSS does not yield any greater security risk than proprietary software. Basically, an OSS committer/developer can introduce a security risk (accidentally or maliciously) just as easily as an employee of a closed-source software vendor.

    I would take this one step further and say that OSS reduces this risk *more* than closed-source software. If a security hole is discovered in OSS, anybody has the ability to "plug the hole" since anybody has access to the source code. If a vendor's software has a security hole, users completely rely on the vendor to (correctly) address the problem and issue a fix.

    Also, as OSS is available to all to see, "suspicious" code that could cause a security problem has a greater chance of being discovered than closed-source code to which only a select few are privy.

    Finally, a flip side to this argument is - What are the risks of using closed source software? Proponents of OSS (especially Eric Raymond) will tell you that risk mitigation is a big selling point *for* OSS. This article makes some interesting points towards this:

    http://www.osopinion.com/Opinions/AlanCox/AlanCox1.html

    Ryan
  5. Security and open-source[ Go to top ]

    The other problem with closed-systems is that not only do you rely on a vendor to provide a fix, but sometimes to even inform you there is a problem.

    Unless you like hanging out on hacker newsgroups to find out what the latest Microsoft/IBM/Oracle/etc. security exploit is, and putting up with reading a lot of BS to find it, you are going to be caught unaware unless you're lucky enough to get a head's up from another customer that is spreading the word. Back when I was responsible for system security at an old job, it was not unusual to see hacker's discussing security holes a month before a vendor would finally issue a general release.

    If I want to be aware of problems that may exist in OSS, it's not hard. There are many OSS communities and just about every OSS project has it's own dedicated user community. You're not waiting on a vendor to admit it made a mistake and you don't have to lurk on hacker websites. The information exchange is constant and, naturally, open.

    I've never believed security was a good reason to choose a proprietary solution over Open-Source. From what I've seen, it doesn't matter what you choose to use, but how you use it. Linux or Windows will only be as secure as the system administrator is competent. An application will only be as secure as the developers make it. So on and so forth. It doesn't matter if a company throws cash at a product because it features high security, but they don't throw cash on people with the knowledge to effectively implement that security.

    In my experience, if companies would spend more money on training and salaries, rather than spending exhorbant amounts on software and dubious vendor technical support contracts, they would probably have better results.
  6. Security and open-source[ Go to top ]

    <Q>
    In my experience, if companies would spend more money on training and salaries, rather than spending exhorbant amounts on software and dubious vendor technical support contracts, they would probably have better results.
    </Q>

    Very good point. Or if they would just do their core competentcies and let others do theirs. (ie. Are they a manufacturer or a software company?).
  7. Assessing the risks of open source[ Go to top ]

    Although the main "risk" the article dealt with was security, I tend to agree with Ryan that this is not as large a risk as many think.

    However on a different aspect of the article - I think it was very wrong on why companies are wary of OSS. I am currently putting together a technical architecture layer for some J2EE projects using open source (Xerces, Struts etc). The main issue with open source from my client's perspective has been copyright and IP.

    As an example, if I have an open source development on the Net, and someone submits copyrighted code to the project without telling the project, the OSS now has embedded copyrighted code.
    If the copyright holder at some later stage finds out and decides to "enforce" his rights, many people who are using the software would be liable to pay for these rights.
    In commercial software, the vendor stands behind the code in terms of IP (ie: guarantee they didn't rip off other people's code).

    Although the project could replace the copyrighted code, it may be very embedded in the OSS and be hard to remove.

    This has been the main risk which has been discussed for our projects.

    Tim
  8. Assessing the risks of open source[ Go to top ]

    The interesting quote for me was

    "By 2006/07, the cycle of movement between open source and standards will be common, and 80 percent of organizations developing with Java will make some use of open-source products."

    I'm surprised it's not that high or higher already. It must be pretty difficult to put together a Java project of any size these days that does not include some open source software. If you're using WebLogic or WebSphere then you're using some Jakarta code, how do you build if you don't use Ant, what sort of logging system did you use before Java 1.4, etc. I mean, if you wanted to pay for a Java XML parser where would you go?

    If we're now over the chasm for Java open source then the opportunities for companies to address the remaining qualms of commerical open source users must be expanding. These people don't seem to have any problem with open source technically, they just want someone to "certify" or "stand behind" the code, someone to blame if stuff goes wrong. A nice little side line for some consultancy perhaps :)
  9. Assessing the risks of open source[ Go to top ]

    A work as a consultat and some of my customers don't allow OSS to be used. Most of the govermental departments I've worked for said no to OSS. Even bigger private companies has refused to use OSS. Mostly they're afraid of the security issues which I think is wrong. Maybe I should send this article to them. :)
  10. Assessing the risks of open source[ Go to top ]

    <Q>
    A work as a consultat and some of my customers don't allow OSS to be used. Most of the govermental departments I've worked for said no to OSS. Even bigger private companies has refused to use OSS. Mostly they're afraid of the security issues which I think is wrong. Maybe I should send this article to them. :)
    </Q>
    My guess is that you are using Java, since you are posting here. If so how do reconcile the previous posters statements? What are they using as WebServers? XML parsers? Etc.
  11. Assessing the risks of open source[ Go to top ]

    <q>
    What are they using as WebServers? XML parsers? Etc.
    </q>
    Good question, earlier, the app servers mentioned where WLS & Websphere, but I do not know any really expensive, none OS app server that does not use open source. BAS was one of the first to use Tomcat as webserver. Oracle uses Orion which in turn uses lots of apache stuff.

    I cannot remember any project I´ve done in the last couple of years in which I have not used any open source.

  12. Assessing the risks of open source[ Go to top ]

    <Q>
    Good question, earlier, the app servers mentioned where WLS & Websphere
    </Q>

    And if they were using Websphere they were using IBM HTTP server which is Apache.
  13. Assessing the risks of open source[ Go to top ]

    <Q>

    > Good question, earlier, the app servers mentioned where
    > WLS & Websphere
    > </Q>

    > And if they were using Websphere they were using IBM HTTP > server which is Apache.

    And don't forget: Xerces (xml4j), Jasper (Jsp Engine), Struts (in the web-based administration console), Xalan, Apache Soap (I think), the Bean Scripting Framework (BSF), bits of the Eclipse IDE etc. I'm sure there's more examples too.
  14. Assessing the risks of open source[ Go to top ]

    <q>
    My guess is that you are using Java, since you are posting here. If so how do reconcile the previous posters statements? What are they using as WebServers? XML parsers? Etc.
    </q>


    <chuckle>

    I know of a company that is like that (ie don't use open source) so they rebuilt a framework equivalent to Avalon, rewrote Ant and jUnit (in a better fashion of course)

    They seam to be quite happy with that and very proud of their framework.

    Using the work of other people isn't easy, the NIH (not invented here syndrom) is still very present on this planet if you ask me :o)

    a++ Cedric
  15. <quote>
    Using the work of other people isn't easy, the NIH (not invented here syndrom) is still very present on this planet if you ask me :o)
    </quote>

    On the contrary, I find using the work of other people quite easy - less work for me!

    Seriously, this seems like the dumbest reason for avoiding OSS. Why piss a way time and effort on writing code completely unrelated to your business, such as an alternative to Ant and JUnit? I see no value in this. These OSS frameworks are powerful, popular and proven. Why not just use them and spend timing writing code that helps your business.

    I can see being skeptical of using OSS solutions in the production run time environment. But build/test tools, come on! I just don't get it.

    Ryan
  16. Assessing the risks of open source[ Go to top ]

    <Q>
    I can see being skeptical of using OSS solutions in the production run time environment. But build/test tools, come on! I just don't get it.
    </Q>

    I can't even see that. Plenty of paid for software stinks. NPFH (not paid for here) is no better than NIH. It all comes down to choosing wisely.

    Build/Test tools are my production environment. :) If OSS is good enough for me it is good enough for my customers/clients/users.
  17. Assessing the risks of open source[ Go to top ]

    Mark,

    I agree. I was merely saying that I recognize the difference between using Ant or JUnit in development and deploying a large-scale system on Tomcat or JBoss. The latter has more risks.

    I'm *not* saying that using OSS as your production app server is riskier than using a commercial alternative. I am simply saying that there is greater risk involved in choosing what software on which you deploy your production system than there is in choosing your build tools (OSS or not). Agreed?

    Ryan
  18. <q>
    I agree. I was merely saying that I recognize the difference between using Ant or JUnit in development and deploying a large-scale system on Tomcat or JBoss. The latter has more risks.
    </q>

    Why ?? You think using Apache involves a larger risk than using IIS ???

    Althoug I don´t like much using neither Tomcat nor JBoss, they are both solutions proven in a production environment. Tomcat afik is even the webcontainer for a 35k/cpu app server (BAS i think they call it nowadays).

    Here in Brasil a lot of companies use JBoss because, with the current exchange rate, they simply cannot afford a US$30-35k/cpu app server (114800 in local currency or 574 times the minimum wage).
  19. <quote>
    Why ?? You think using Apache involves a larger risk than using IIS ???
    </quote>

    No.

    You didn't read the rest of my post. I said that the choice of your production app server involves more risk consideration than your choice of build/test tools. There are simply for risks to consider - performance, security, scalability, robustness, support, etc.

    I never said choosing OSS (Apache) over a commercial alternative (IIS) is riskier. In fact, in many circumstances (including this one) the opposite may be true.

    I think we see to eye to eye on this.

    Ryan
  20. Assessing the risks of open source[ Go to top ]

    <quote>
    Here in Brasil a lot of companies use JBoss because, with the current exchange rate, they simply cannot afford a US$30-35k/cpu app server
    </quote>

    I guess US$30-35K/cpu refers to Enterprise editions of WLS, WAS or the like. These support advanced features, such as clustering, etc. and JBoss in its present form is hardly a competition to them. JBoss seems to aim at "Standard Editions" that are typically in US$2.5-12K range.

    Flashline.com has an up-to-date summary of AS offerings: Server Matrix
  21. Assessing the risks of open source[ Go to top ]

    <quote>
    I guess US$30-35K/cpu refers to Enterprise editions of WLS, WAS or the like. These support advanced features, such as clustering, etc. and JBoss in its present form is hardly a competition to them.
    </quote>

    JBoss supports clustering. What other "advanced" features do WLS/WAS support that JBoss does not? From my experience, it is right up there with the big boys, feature-wise.

    Ryan
  22. <q>
    JBoss supports clustering. What other "advanced" features do WLS/WAS support that JBoss does not? From my experience, it is right up there with the big boys, feature-wise.
    </q>

    WLS supports mbeans, monitoring via openview etc. automatic startup of extra servers based on metrics, hot-deployment (which WAS does not) tunig of deployed and running application &/| cluster. Failover of running transactions and a lot of other features. It allows you to extend & use plugins for the admin console.
  23. <q>
    WLS supports mbeans, monitoring via openview etc. automatic startup of extra servers based on metrics, hot-deployment (which WAS does not) tunig of deployed and running application &/| cluster. Failover of running transactions and a lot of other features. It allows you to extend & use plugins for the admin console
    </q>

    Well i guess you're refering to the SNMP capability of WLS when you're talking about monitoring via OpenView. However jBoss is based on a JMX enabled kernel, therefore you also have the management capability within jBoss :o)
    Furthermore hot-deployment is available within jBoss.

    So i'm presuming that you're comparing WAS with WLS and not jBoss with WAS/WLS which i do beleive was the initial question: is my understanding of your point correct ?

    a++ Cedric
  24. Assessing the risks of open source[ Go to top ]

    <Q>
    I agree. I was merely saying that I recognize the difference between using Ant or JUnit in development and deploying a large-scale system on Tomcat or JBoss. The latter has more risks.

    I'm *not* saying that using OSS as your production app server is riskier than using a commercial alternative. I am simply saying that there is greater risk involved in choosing what software on which you deploy your production system than there is in choosing your build tools (OSS or not). Agreed?
    </Q>

    Ok. I'm in your boat. Let's row.
  25. Assessing the risks of open source[ Go to top ]

    <QQ>
    <q>
    My guess is that you are using Java, since you are posting here. If so how do reconcile the previous posters statements? What are they using as WebServers? XML parsers? Etc.
    </q>


    <chuckle>

    I know of a company that is like that (ie don't use open source) so they rebuilt a framework equivalent to Avalon, rewrote Ant and jUnit (in a better fashion of course)

    They seam to be quite happy with that and very proud of their framework.

    Using the work of other people isn't easy, the NIH (not invented here syndrom) is still very present on this planet if you ask me :o)

    a++ Cedric
    </QQ>

    It is not just companies. There is a university in (I think) Germany that needed to unserialize objects. I started to help them out. After looking at what they wanted to do I suggested using Castor or a few others. The guy I was talking to said the manager want them to write their own stuff. Ok - if THEY want to.

    As for using the work of other people - The Java APIs are other people's work. Maybe that proves your point. :o x2

    I'm sure they were proud of their work. Me - I'm never proud that I don't learn from others or duplicate effort. OPM is the best way (or OPE or OPS).



  26. Assessing the risks of open source[ Go to top ]

    I've worked for a number of government agencies as well, and I'm not surprised to hear people are worried about security when it comes to OSS. For some folks in these agencies (and many other places I'm sure), Java still means applets and applets means security holes to them because all they know is that it's code downloaded to the client machine, so thus Java = bad security and Java OSS = even worse security. Plenty of IT managers don't bother to fully understand things like OSS once they get misinformed ideas like that.

    Rob
  27. Assessing the risks of open source[ Go to top ]

    <q>
    These people don't seem to have any problem with open source technically, they just want someone to "certify" or "stand behind" the code, someone to blame if stuff goes wrong. A nice little side line for some consultancy perhaps :)
    </q>

    So, if I package some OS stuff, say JBoss with some jakarta stuff and charge $10.000/year in 'consultancy' it´s ok ?

    I think a lot of companies buy 'brand' and not product. Here in Brazil buying an app server generally is like buying cornflakes, if they have the cash to fork over they buy web(sphere/logic). Stability has little to do with it. Money talks stability & spec compliance walks.
  28. Assessing the risks of open source[ Go to top ]

    I agree that companies that "buy brand and not product" would be difficult to sell on open source, but perhaps the open source brand will help there. Apache has pretty good branding.

    On the other hand if these people buy WebLogic for the same reasons people buy Tommy Hilfiger clothes there's not much hope for them. I'd like to believe that there are some companies who have support problems with open source and they would be the ones to target.
  29. Assessing the risks of open source[ Go to top ]

    As long as you comply with the licenses of the open source products you are packaging together, then yes it is OK. If you do it I suggest that you also give back to the community through code, documentation, whatever, as that way everyone will benefit.

    As others have said, many companies are now using open source software without even knowing it. The point is they feel that they don't need to know the details because they have a vendor that they trust who will deal with the details. Building that trust is key to being successful in the industry, open source software or not. Branding is largely about trust, whether that trust is deserved or not.
  30. Assessing the risks of open source[ Go to top ]

    <Q>
    Here in Brazil
    </Q>

    I thought you were Dutch? I know alot of Germans are there.

  31. Assessing the risks of open source[ Go to top ]

    <q>
    I thought you were Dutch? I know alot of Germans are there.
    </q>

    We where here first ;-) We sortof tried to steal it from the portuguese ;-)

    But yes, I´m dutch (100%) but live here for 7 years now.
  32. Assessing the risks of open source[ Go to top ]

    <Q>
    We where here first ;-) We sortof tried to steal it from the portuguese ;-)

    But yes, I´m dutch (100%) but live here for 7 years now.
    </Q>

    Everyone comes from somewhere else.

    My wife grew up in Brazil (not Brazilian). She lived in Nova Hamburgo, Sao Paulo and Curitiba. She speaks Portuguese or Sportuguese as our boys first thought it was.
  33. Assessing the risks of open source[ Go to top ]

    <off-topic>
    <q>
    Everyone comes from somewhere else.
    </q>
    ;-)
    <q>
    My wife grew up in Brazil (not Brazilian). She lived in Nova Hamburgo, Sao Paulo and Curitiba. She speaks Portuguese or Sportuguese as our boys first thought it was.
    </q>
    I live in Petropolis(Rio). Can´t see I like São Paulo (too much concrete & cars, makes LA look like Smalltown USA ;-), don´t know Curitiba & Nova Hamburgo.
    Great place(country) to live but difficult to make some $$$.
    </off-topic>

  34. <off-topic>
    "
    <q>
    Everyone comes from somewhere else.
    </q>
    ;-)
    <q>
    My wife grew up in Brazil (not Brazilian). She lived in Nova Hamburgo, Sao Paulo and Curitiba. She speaks Portuguese or Sportuguese as our boys first thought it was.
    </q>
    I live in Petropolis(Rio). Can´t see I like São Paulo (too much concrete & cars, makes LA look like Smalltown USA ;-), don´t know Curitiba & Nova Hamburgo.
    Great place(country) to live but difficult to make some $$$.
    </off-topic>
    "

    <extremely off-topic>
    Really hard to make some money.

    By the way, I didn´t come from anywhere else. I'm a real Brazilian.

    Andre
    </extremely off-topic>