A senior software engineering having a big interest in information security
Whether you are looking for a document management system or a development framework for your next business application, you might be considering some options from opensource solutions (well.. most of the time), however picking up the right choice that fits to your requirements
doesn’t necessarily make it a safe choice.
Imagine a company is using a system (could be an ERP, CRM, DMS, ESB…) for a couple of years and that system relies on a framework or third party
modules that one day the provider announced that in the near future his
framework will stop receiving maintenance updates or that the next
version will be released under different opensource license that has
more restrictions [Opensource licenses in a competitive environment]. What would be the stakeholder decision? Put on hold the use of the
system or continue with it and accept all the risks while preparing for
alternatives, either way there will be a cost to pay and the business
continuity will have unavoidable issues.
So how to protect the business if your company choose to adopt open sourced software?
Here is 3 aspects that should be taken in account when looking for
solution in the opensource software.
People in different profiles contribute in open source for different purposes.
There are hobbyists and volunteers that love to write code and make
production-ready software for free and there are professionals who also
build solutions for free but aims to sustain there activity by offering
paid support or receiving funds from different sponsors.
Dedicated contributors have a clear and a long term plan for their software and some of the indicators that the project has a dedicated team are :
- The software has an LTS version (long term support) or something similar.
- The software project is run mainly by full time team members.
- The documentation is comprehensive, well organized and updated regularly, this measures how much seriously the project is taken by the team.
An open source community is composed of contributors and end-users, they use forums, blogs, bugs tracker and messaging applications to share their experience with the software.
An active community with frequent interactions from the contributors is a
good sign that the software has a solid support foundation.
This means concerns and bugs you encounter have high chance to be solved in the shortest time, which in turn brings confidence to the business.
Some of the indicators that you can look for are:
- The community is heavily interacting through third party platforms like Stackoverflow, this could be the ultimate indicator!
- Contributors and developers are actives on forums and blogs, a two years old blog with recent answered comments can prove the team is still on board.
For the most of the opensource software, their is a listing of companies who use that software. An open source software that has renowned companies in their ‘who is using it’ list proves how much the software is capable on earning trust from the users.
The list doesn’t have to include some 500 Fortune companies, however a mix of companies from different industries is a good sign that the software
is reliable and safe for the business.
Some may conclude that the three points are relatively tied together and
this is indeed true in most cases, for instance an opensource software
that have high profile users is very likely having an active community
and dedicated contributors, however another opensource software that
have a visibly dedicated contributors and active community has a good
chance to bring the attention of high profile companies but not having
them as actual users.
The point is to check each aspect individually and avoid early conclusion.