Open architecture

The demand for open source technologies is starting to increase as regional organisations explore ways of maximising their limited IT budgets.

  • E-Mail
By  Alex Ritman Published  March 5, 2006

|~|Yasser-Ragaei-HP200.jpg|~|“It is really a wide platform reaching a wide base of customers. Internet service providers are really enthusiastic to develop on Linux.” Yasser Ragaei, business manager, enterprise systems at HP Middle East.|~|The most apparent, obvious benefit of open source technology is the initial cost. “No price is more attractive than free,” says Ali Hamedi, senior technical engineer of Dubai-based Sphere Networks. But he claims this is not the only advantage of open source technology. “The most important ones would have to be security, customisability and agility.” For Yasser Ragaei, business manager of enterprise systems at HP Middle East, another major advantage of open source is the choice of applications available, with many internet service providers (ISPs) developing applications to run on Linux. “It is really a wide platform reaching a wide base of customers. ISPs are really enthusiastic to develop on Linux.” Enterprise network security is becoming a major issue for corporations not only in the Middle East but also around the globe. Hamedi believes open source technologies do provide the required level of security. “Although I very much doubt many companies inspect the code themselves, they take comfort in knowing that others have,” says Hamedi. He points to software such as the ubiquitous Apache webserver, considered to have rock-solid stability not just from years of use and thousands of installations, but because its code base is well understood by the community. Hamedi claims that whereas with big brand closed source products you have to wait for something he calls “patch Tuesday” to roll around when a serious vulnerability is revealed, with open source products such as Apache “it is commonly said to take mere hours, and sometime minutes, for a patch to appear”. Compared to Microsoft’s ‘close source’ software, open source products are often considered better in the security realm, especially considering the regularity with which Microsoft announces vulnerabilities and software fixes. Proponents of open source argue that it is inherently more secure, with a much larger set of developers that can read the code, vet it and correct problems. A version of Linux, SuSE Enterprise Server 9, in March 2005 became the first to earn government International Common Criteria certification for security level 4. This award is comparable to what Microsoft managed to achieve with Windows Server 2000 in security test reviews three years earlier. However, several research companies claim that the viewing open source as more secure because there are more people looking at it is a false assumption. The Burton Group, in its report ‘Securing Open Source Infrastructure,’ concurs with this thinking, describing it as “the myth of more eyes,” and listing case after case where critical flaws in open source software was not spotted. Also noted in the Burton Group’s research is the ability for developers to leave ‘back doors’ in open source code. Closed source, on the other hand, provides a single point of contact for companies, be it from Microsoft, Oracle, or whoever. These will address any security flaws that come to light, usually through a software patch. In the open source world, if a security in vulnerability in Linux is identified, IBM and other Linux-supporting vendors may respond with their own emergency patch, to also be shared as an interim fix with the Linux community. A Microsoft-paid study by research firm Security Innovation in 2004 asserted that a web study based on open source code had twice as many security vulnerabilities recorded throughout the year, compared to a Microsoft-based web server. “Open source is double-edged sword,” says Hatem Alsibai, CIO of the Al Ghurair Group. “It can save the organisation tremendous costs, but if used without having some guidelines or some open source policy, it can also lead to unpleasant situations.” Policies are needed to review the risks that come with open source. Being software that anyone can download, engineers and technicians can download and run any open source within an organisation. “So a company must protect itself,” says Alsibbai. “There must be an acquisition policy, there must be a selection process for the project that is going to fit within the organisation, it cannot be just as simple as someone downloading something and saying ‘this is good’. You need policy to manage the risks.” Also important is extensive testing, and having a patching and upgrade policy. “Patching a piece of your framework might end up leaving your entire framework dysfunctional,” Alsibai admits. “I need to know what will happen if I upgrade Apache from this version to that, or upgrade MySQL.” According to Alsibai there are currently around 65,000 open source projects, ranging from the extremely popular with thousands of contributors, to ones with just a handful of followers. “So extra care needs to be taken in the selection process. Just make sure that you do have a project that has a tremendous amount of momentum behind it.” Sphere Network internally uses a collection of open source products to support its software development. “In fact, our entire development environment is 100% powered by open source,” admits Hamedi. For bug tracking, the company use Bugzilla, subversion for source code management and Luntbuild for automated builds all running on a Linux server. “Of course being a software development house, we also love the ability to jump right into the code and customise the code for our own use,” he adds. Some people have suggested that, despite its ‘free’ tag, there are issues with open source software that may actually make it more expensive to operate in the long run. One major factor is the lack of fully-trained Linux engineers, but Hamedi claims that this is a common misconception, saying that while it is often believed that all open source code is developed by a large enthusiastic but entirely unprofessional community. “I think that’s far from the truth,” he says, pointing out that big open source projects are often funded and powered by big companies. “Take Eclipse as an extreme example, the biggest contributors by far is IBM paid developers.” Having a trained technician on the other end of a phone is not the only way of dealing with any technical difficulties that may arise. There are plenty of forums and newsgroups, and posting a message online is likely to get a response from one of the core developers. “Which in this case is worth a lot more than talking to an outsourced support representative,” says Hamedi.||**|||~|hatem_200.jpg|~|“There must be an acquisition policy, there must be a selection process for the project that is going to fit within the organisation, it cannot be just as simple as someone downloading something and saying ‘this is good’. You need policy to manage the risks.” Hatem Alsibai, CIO of the Al Ghurair Group of Companies.|~|It may be true that phone support 24 hours a day, 7 days a week, is an invaluable tool in the event of any technical advice. While not as dependable, for smaller open source projects that are actively used, there is almost always a group of helpful individuals that can help resolve problems quickly. In fact, several companies have established themselves as providers, for a fee, of Linux technical support. Red Hat, for example, provides free open source software, but charges for support. “Many companies have found that they have saved by switching to this model,” says Alsibai. Aside from the actual technical help, there are also quite a few companies who are dedicated to supporting open software. Websites such as FindOpenSourceSupport.com try to make is simper for clients to track down companies or individuals who can assist. According to Hamedi, there are extremes when it comes to companies using open source technology on their networks. “On one end of the scale you’ll find big companies that will do anything they can to avoid it,” he says, adding that there are some that even have a strict policy of using no open source whatsoever. Larger companies need to show that their networks are secure, with a well-established and accountable name behind them. “They need the guaranteed support, they need to be able to point the finger if anything goes wrong. As the adage goes, ‘no one gets fired for buying Microsoft.’” However, for smaller companies it is a different story, and many are willing to try to use as much open source software as they can. “The steeper learning and potential support burden is often justified by the initial cost savings.” Demand for open source products has mainly come from small organisations, claims Ragaei. “Most of them are very much interested and curious, and eager to evaluate at least.” He says that most enterprises are starting to deploy Linux, but at different places. “I wouldn’t see a telco running his billing solution on Linux yet, because of the security needs, and the sensitivity to downtime.” But for something like a webserver or email server, then Linux is a definite possibility. According to Ragaei, open source is beginning to completely dominate the HPTCO (high performance technical computing organisations). “Because in this case, you’ve maybe got hundreds and thousands of servers working together, and to lose one server is not a big issue.” He names the oil & gas industry as one example where Linux is becoming standard. In the Middle East the uptake of open source technology has been quite slow, with the general feeling still being to play it safe and stay with the big names. However, Hamedi suggests that this attitude could be different soon. “Thing will inevitably change as the industry matures and open source technologies gain visibility here.” He says that the emergence of regional open source groups is a clear indication of this move. “There are numerous Linux user groups in the region, which leads me to believe that this is already happening in the UAE at least.” Alsibai believes that open source acceptance is slowly gaining momentum in the region, but is still lagging behind. “This area is pretty much a transient society, and people generally move around a lot. You might get a lot of decision makers who are just interested in not rocking the boat.” Dubai is a “vendor-driven culture,” says Alsibai, where people with requirements just call their preferred vendor, explain the problem and receive the solution. “The vendor does the driving, but in other cultures it’s the organisation itself doing its own research and deciding which way they want to go.” With security being one of the major issues facing CIOs today, having the right protection and the right ability to rectify problems is of utmost concern if selecting an open source platform. “If the users have the ability, or the company has the in house talent, there’s nothing stopping them from fixing the security issue themselves, and in fact this is really the kind of mindset that open source advocates try to encourage,” says Sphere Networks’ Hamedi. With such a large and expanding open source community, if the product in question is actively used then a patch or fix will be released not long after the security issue is discovered. “Or at the very least a workaround will be found and documented,” he claims. Things obviously get trickier if you are relying on a very specialised niche product with only a few worldwide users, software that is no longer being actively developed. “Then your options are quite limited,” says Hamedi. “But even then, the situation is not dire. There are plenty of services such as rentacoder.com, which commodotise programming, where you can track down someone with the skills required to resolve the issue.” On the commercial application side of things, ironically things are significantly more difficult when utilising software no longer is developed. “When a commercial application is end of life, then generally speaking you have no choice but to abandon that product, lose your investment and find an alternative.” The Al Ghurair Group’s Alsibai describes the way open source developers work in the face of a security issue as like an ‘ant colony’, with a high degree of organisation. “No single member is important, or significant, but the overall system just works brilliantly. There have been many cases where security breaches have been identified, and commercial companies were not coming through with solutions for weeks.” With open source, you have a “virtual army” of technicians available to work on it. “You have people working round the clock, different time zones, different cultures, different mindsets and different ways of looking at the problem. You really do get good quality software, as you have seen with Apache and MySQL.” For Alsibai, open source is no longer just about software, but knowledge, collaboration. “It’s going to occupy a bigger footprint in our lives whether you like it or not. So the best thing to do is to understand it, and learn how to benefit from it like those who already have.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code