Open source still looking to shake off concerns

Security and intellectual property issues remain despite exploding popularity

Although open source software has gained a place in enterprise networks alongside proprietary software, it can't seem to shake doubts about security and intellectual-property issues that have long dogged the movement.

"The advantage of open source is that no single entity has authoritative control over a project," says Mark Driver, an analyst at Gartner. "There's no single choke point." One theory holds that because it's open source, software security problems can be discovered quickly, he says. "But one argument says open source is less secure and people can put bad things in it, and that's true, too," he adds.

Whatever the doubts, the open source movement, now counting in the tens of thousands of "communities" of volunteer software developers, is coding en masse to yield a bounty of operating systems and applications. Open source is not only here to stay, it's transforming traditional commercial software practices.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Although open source software has gained a place in enterprise networks alongside proprietary software, it can't seem to shake doubts about security and intellectual-property issues that have long dogged the movement.

"The advantage of open source is that no single entity has authoritative control over a project," says Mark Driver, an analyst at Gartner. "There's no single choke point." One theory holds that because it's open source, software security problems can be discovered quickly, he says. "But one argument says open source is less secure and people can put bad things in it, and that's true, too," he adds.

Whatever the doubts, the open source movement, now counting in the tens of thousands of "communities" of volunteer software developers, is coding en masse to yield a bounty of operating systems and applications. Open source is not only here to stay, it's transforming traditional commercial software practices.

Open source software components are being worked into commercial software through tools such as Eclipse and NetBeans. The Linux operating system isn't only becoming a corporate favorite, as is evident at Wall Street firms today, but middleware applications such as Geronimo, JBoss, MySQL and Hibernate also are becoming commonplace in the enterprise.

Gartner estimates that by 2013, 80% or more of commercial software in production will have elements of open source.
The trend today is for IT managers in business and government to try and assess each open source software project by the company it keeps, critically viewing the maturity of each community in maintaining its code base by adding extensions or fixing bugs. If established vendors such as IBM, Red Hat and HP are involved supporting the software, that's usually seen as a plus.

The most ambitious open source adopters for business use still tend to be the "technology aggressive," Driver says, because they have an internal R&D team that can support it, or they will hire support from vendors.

So what remains the more pressing security and intellectual-property implications?

One main question is how security vulnerabilities are discovered and fixed. There is often a different methodology at work than can be found with closed source, proprietary software vendors.

Microsoft — once close-minded, wary and stubborn about accepting advice from any outsider about discovered security flaws in its products — has gradually opened up over the years to establish clear lines of contact with security experts to discretely share critical information about vulnerabilities they discover.

Microsoft's latest effort in this area, unveiled this month, draws security vendors even closer to the Redmond giant, promising a select group of them access to vulnerability data well in advance of Microsoft's monthly security advisories so their software remediation products can be ready at the moment of Microsoft's public notifications. Microsoft says it's doing this to thwart hackers exploiting vulnerability information to design zero-day attacks.