Reports surface almost daily pointing out the security loopholes in open source projects, some of them quite serious. Factors that increase the security risks with open source:
• The source code is readily available for hackers to analyze and exploit, thus increasing the attack surface of the product
• Vulnerabilities reported by users on public support forums are also open to scrutiny and exploitation
• Users who install open source using default options frequently fail to implement even rudimentary security precautions, such as changing the default password or removing the install directory which may point to sensitive database or network information
• Because of the community development of open source projects, inadequately screened third parties may be allowed to submit add-ons or even make changes to the production code base, hiding viruses or root kits that can spread quickly and infect many customer systems before the vendor can discover them and fix the problem
• The CE version of a FOSS product provides no guarantees as to the timing or adequacy of security fixes, or any recourse for customers on the receiving end of an exploit
To be fair, no software is ever released totally free of security vulnerabilities and FOSS vendors usually rush to close security holes as soon as they are discovered. Still it is important to factor the increased risks into the decision-making process and take steps to close as many security holes as possible by changing default installation directories and passwords, hardening or even isolating severs hosting open source content, and repeating the same process for any database components. If taking these steps does not produce a code base that complies with corporate security policies, you may need to switch to a commercial, closed-source license.
4. Beware of the potential impact on intellectual property
While No. 4 on this list, analyzing the impact of FOSS products on intellectual property may in fact weigh in as the No.1 consideration for corporate decision-makers. "It's all about copyrights," says independent intellectual property expert and attorney Jill Bowman. "Incorporating open source can dramatically affect the value of intellectual property and may diminish or destroy the value of the product that incorporates open source." Among the legal hurdles she cites:
• Open source licenses written colloquially, with the original intent of conveying clarity, may actually be more difficult to interpret legally.
• Performing due diligence and tracking genealogy is more challenging on a code base that may contain multiple authors and open source licenses.
• Open source licenses raise serious legal questions about how and under what terms, or even if, the licenses may be assigned.
• Difficulty in determining the compatibility of multiple licenses contained in a single product, and ensuring that the outbound license doesn't convey more than the inbound license
"It's really a matter of choosing the correct open source license," Bowman says. "Buying a commercial license can solve many of the legal issues."
Despite its challenges, FOSS has been shown to offer substantial benefits for organizations under a great variety of business models. The key to successfully managing open source is to fully explore not just the benefits, but also the risks and hidden costs, preferably before committing substantial time and resources to open source initiatives.
Perschke is co-owner of two IT services firms specializing in web hosting, SaaS (cloud) application development and RDBMS modeling and integration. Susan also has executive responsibility for risk management and network security at her companies' data center. She can be reached at email@example.com.
Read more about software in Network World's Software section.