Is open source fit for business?

The HeartBleed flaw puts the open source approach under the microscope

Tags: Open source
  • E-Mail
Is open source fit for business? HeartBleed highlighted how many vendors are using open source software in commercial offerings. (ITP Images)
By  Mark Sutton Published  April 27, 2014

The recent HeartBleed security flaw is putting the open source approach under the microscope. The flexibility of the open source model and the ability of the community to contribute is one of the main draws of open source, and why it attracts such dedicated support. The Middle East has many open source communities, which have been very active in building local support and in encouraging open source in academia in the region.

Adoption of open source is not as strong in organisations in the Middle East as it is in other parts of the world, but it has proven to be a valued model in many areas. Local companies have contributed to open source projects, particularly in projects with Arabic language requirements, or in verticals with very specific requirements. Open source communities have often lead efforts and made a greater contribution to developing projects than commercial vendors have.

Equally, there are other IT professionals who would not consider using open source software. The lack of professional support can be off-putting, for others it is seen as unprofessional or not a good fit with risk-adverse corporate cultures. The HeartBleed problem may give some weight to these concerns.

HeartBleed is a flaw that has been detected in the widely used Open source OpenSSL cryptography library. The coder responsible, as part of an open source project, appears to have made a genuine mistake in his coding which created a flaw that can be used to compromise web server security.

The theory is that open source software, through community and peer review, should be at least as robust and secure as commercial equivalents. Even with the testing teams deployed by commercial software companies, they can't match the number of people that can review and improve open source code. Except with HeartBleed, no one spotted the bug for two years.

HeartBleed has to raise questions for the open source community in how they review code and how it is released. In critical areas such as security, it is doubly important that principals of review are followed. Of course there are flaws in commercial software too - many, many flaws - but if open source communities want their work to be taken seriously by business, they need to improve procedures to ensure that mistakes like HeartBleed are much less likely to happen.

On top of that, commercial vendors also need to do more. HeartBleed is regarded as such a threat because the OpenSSL cryptography library is so widely used, including in commercial products. Vendors including Cisco and Juniper had hardware and software that was vulnerable to HeartBleed.

If I was a customer of one of these vendors, I would want to know why they have put software created by a third party in a commercial product and not properly reviewed the code. Vendors must do their part if they want to benefit from open source development. HeartBleed highlights that vendors can't just take from open source initiatives, they must engage with them, to ensure that they are supported and that the work is up to a high enough standard that organisations can be comfortable with its adoption.

The news that a number of vendors will now contribute to the Linux Foundation is a good step in the right direction, and let’s hope that with vendors putting skin in the game, they also increase their engagement with the open source community for everyone’s benefit.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code