Debunking the myths of open-source software 

For the uninitiated, open-source software is software with source code that anyone can inspect, modify and enhance. To appreciate ethos behind it, check out my favourite bread-based analogy [1], which seems appropriate given the baking habits introduced to many households in recent years, at least here in the UK! 

In this article, we will debunk some common misconceptions about open-source software and provide our views on best practice.  

Myth #1: open-source software (OSS) is only developed by students as a hobby 

Reality: some of the biggest open-source contributors are large software companies such as Google, Microsoft and IBM. Many skilled and experienced professionals contribute to open-source projects, not only for professional advancement but for intrinsic intellectual motivations. 

Investment in open-source projects has risen considerably in the last 2 decades; one study identified in 2004 only 9 firms producing OSS raising venture funding, this had risen to 110 firms by 2015. [2]   

Myth #2: OSS is not widely used 

Reality: Use of open-source software is widespread, with many components that are often ‘unseen’ or hiding in plain sight. For example, Chromium is used in 64.5% of web browsers 3. Linux is another well-known example.  

Open-source software supports a wide range of use-cases, from server software, development tools, web browsers, scripting languages, workflow, desktop / devices and many more.  

Myth #3: OSS is inferior to closed source or proprietary software 

Reality: Open-source software is acknowledged as a strong mechanism to achieve many corporate goals: 

• Its modularity reduces time to market. 
• It allows easy adaptation to meet the application needs. 
• It can be supported indefinitely without lock-in to vendors.  
• Its wider availability allows more consensus on what is best. 

Myth #4: OSS it is less secure  

Reality: The availability of source code makes identification of security risks easier and more transparent.  

Specialisation in software has the ability to improve quality; engineers are focused on smaller problems for a larger audience. This is particularly true in cryptography where "don't roll your own crypto" is a key principle. 

The ability to report and fix bugs enables everyone to share in the benefits of the wider availability. 

Myth #5: the risks are greater 

Reality: A degree of risk is unavoidable whether you are using closed or open-source software. There are sensible steps you can take to avoid a couple of common pitfalls: 

1. Avoid thinly maintained or out of date software: 

• Use robust criteria for evaluating software – supported, mature industry standard solutions, that are regularly patched, and actively maintained by the community 
• Actively engage the OSS community - conferences, seminars and forums 
• Maintain your own repository of OSS your organisation uses, and review this regularly

2.    Ensure a robust supply chain for access to open-source software: 

• Always verify digital certificates and check downloads against the published hash 
• Employ a regime of scanning for vulnerabilities across environments, containers, services and servers.  

Myth #6: there is no support available 

Reality: commercial support for OSS is widely available through specialist companies. You may also choose to support OSS in-house. Either way, you can augment this by community support, providing an excellent service model.  

So, now we’ve dispelled the myths, let’s have a look at some best practice. 

There are some best practices that any organisation should adopt when using open-source software: 

• Check licence agreements; some have restrictions on what you can do with it (e.g. non-commercial) but many don’t. On the flip side, hybrid open-source models exist, where code is open source and come with an enterprise licence; 
• Test security patches before implementing them, especially on production systems. Ensure urgent threats being exploited in the wild are patched in a timely manner, based on risk; 
• Get timely security and vulnerability information from specialist interest groups; 
• Maintain a repository of open-source components; 
• Where using an OSS component is no longer beneficial, take steps to stop it’s use and re-assess. 

As I hope we’ve explained, open-source software is mainstream, robust and can help achieve corporate goals.  

In many cases, OSS relies on a community of users who continually help improve the quality and advance the code, giving engineers ‘skin in the game’ rather than being passive users.  

This sense of community is an essential ingredient. Just listen to episodes of the Form3 .tech podcast focussing on Hashicorp and Cilium that bring this to life. For long term sustainability, companies like Form3 collaborate to ensure open-source software continues to improve, for the benefit of all.