The great equalizer across all companies and industries in the software world is schedule compression. No one company or development organization can defy the laws of software physics to bend its code around space and time. However, this doesn’t eliminate the pressure of trying to deliver new functionality and products to market before the competition to capture more market share.
Many new processes have emerged to try to speed up development, like Agile, Extreme, Chaos and Personal Software Process, to name a few. While these processes have shown promise, nothing has impacted speed and reduced difficulty as significantly as the open source movement.
As the old saying goes, “Necessity is the mother of invention.” For the past ten years, the software development community has fully embraced the notion of not reinventing what has already been done in the open source community. Amazingly enough, this approach has been broadly embraced at the executive level in both the public and private sectors. I say “amazing” because of their willingness to take on unknown risk in quality and security, which could be severely damaging to their brand, for the purpose of cost and schedule reduction. I’m not suggesting we all abandon ship, but let’s take a step back for a second and try to be objective.
There is a predominant belief out there that open source software is of higher quality and security because it’s maintained by a community of developers who are attentive to their creations. Some truly great products have been created via open source, such as Mozilla Firefox, Linux, Apache, MySQL and WordPress. An executive responsible for fielding new software capabilities and/or products more than likely makes the decision to incorporate open source as part of a development strategy based on the savings (cost and schedule). However, this decision must be balanced by the added costs for risk assessment and mitigation processes that have to be put in place to account for the added risk to my programs.
I know what you’re thinking, “Risks … what risks?” It’s all too easy to get hooked on the adrenaline rush of accomplishing six months of work and saving $100,000(s) by downloading some open source code. You almost feel like you’re cheating, and at the same time, being cheered on by everyone around you to put your hand in that cookie jar. The risks I’m referring to are three in particular:
- Intellectual property compliance and copyright infringement
- Maintaining current security levels and having transparency into security vulnerabilities
- Traceability for compliance with export control regulations
I’m really sorry to be the heavy in this situation. But, the good news is that there is a way to address these risks on the open source ride: compositional analysis.
There are some great technologies on the market (i.e. Palamida) to provide a breakdown of what percentage of your software is organically developed, COTS and open source. In addition, these types of technologies will advise you on how compliant you are against the three risks specified above. The last thing any of us want is to be on the receiving end of a big lawsuit because we violated IP and copyright laws in our software; that would be flushing all of the savings we obtained (and then some) down the drain. In addition, software is a major part of your brand, and we have seen in recent months, compliments of Target, how not paying attention to security can have severe consequences by compromising your company’s customers. Understanding the security risks within the open source packages you incorporate into your product and staying up on patches is mandatory. Finally, if you’re exporting your software, you must make sure your products are compliant with such regulations that will keep you off the INTERPOL “Most Wanted” boards.
At ProServices, we are currently working with customers in both the public and private sectors to help them understand the composition of their current systems and the associated risks. Many of our customers do not know the breakdown of what percentage of their software is organic, COTS or open source, so that information alone is very powerful. We can also overlay this data with the risk signature in specific areas, such as IP/copyright infringement, quality, security, etc.
The open source paradigm is no longer a social experiment within our software community. It’s here to stay and offers powerful mechanisms to leap ahead in tackling a new revenue opportunity for your company, or better yet, to start your own company with substantially less overhead or the investment needed to get to market. But, heed the warnings and proceed with caution to make sure that you control the inherent risks with open source, so that in the end you can conquer the world and crush your competition!
Vice President, PSC