How Cloud and SaaS are Actively Disrupting Open Source
Open source software (OSS) has driven technological growth for decades due to its collaborative nature and ability to share information rapidly. However, major OSS security vulnerabilities like Log4j, Heartbleed, Shellshock and others have raised concerns about the security and sustainability of similar projects. At the same time, major open source-based companies have changed their OSS licenses, like MongoDB, Elastic (formerly ElasticSearch), Confluent, Redis Labs and most recently, HashiCorp.
In this blog, we’ll examine recent events and trends behind the evolution of open source software, explore its future and discuss what organizations can do to protect themselves.
Community Driven Open Source Software
The most famous early example of community-driven open source is GNU, which stands for Gnu’s Not Unix. GNU is a major component of Linux, and it was born out of Richard Stallman’s frustration over not being able to modify his printer software code to provide customizations and improvements. Stallman wanted unrestricted and free (of cost) software that he could update, maintain and customize himself with other community members, so he created GNU and the GNU General Public License or GPL – one of the most popular and permissive OSS licenses – which is the inspiration behind many open source licenses and projects today.
In the example of the GNU project, it’s important to understand that the user community is taking responsibility for developing, maintaining, supporting and providing security patches – the idea was not for anyone to use without helping to keep it going because that isn’t sustainable. Kubernetes, Linux, Apache and CNCF projects are good examples of community-driven projects.
Vendor-Driven Open Source Software
Vendor-driven open software projects are more centralized and driven from the top down, with a single software vendor providing most of the software and maintenance. In this case, the user community may contribute some customizations, support and patches, but the bulk of the expense and burden remains with the software vendor. This use case is a go-to-market (GTM) approach that relies on converting community users to premium, paid features or services to generate revenue that will offset the costs of building and maintaining the OSS version.
Industry and Technology Trends Driving Open Source Disruption
When GPL and other permissive OSS licenses were first conceived, few envisioned the impact of cheap cloud computing resources and fast broadband would have on the OSS landscape. Now, we are seeing the ripple effects of SaaS and how it impacts vendor-driven open source projects like MongoDB, Elastic, Redis Labs, and most recently, HashiCorp, which changed its OSS licensing, angering its user community.
Several vendor-driven open source projects have had difficulty monetizing enough of their user community to offset expenses. Adding further financial pressure, the growing popularity of SaaS has inspired companies to offer SaaS solutions built from OSS versions of their competition, monetizing the work of the competition and further reducing the incentives behind vendor-driven OSS projects.
The Future of Open Source Software
Vendor-driven open source offerings are advertised as a way for users to get started. However, migrating from a self-hosted OSS solution to the enterprise version can be more complicated or expensive than initially expected, leaving users uncomfortably stuck on the open source version. At the same time, they also need the paid features. This is one area where SaaS should and will replace OSS; when a user is looking to start small and grow with a solution, there is no need for a migration path or the added expense of engineering resources to support and maintain the solution.
The future doesn’t look promising for vendor-driven OSS projects built purely for monetizing the offerings; these projects will become more restrictive and put more of their development efforts behind paid features.
As Mark Twain once said, “History never repeats itself, but it does often rhyme.” This is true when it comes to the future of open source projects, because the path forward is similar to the printer example we mentioned earlier – these projects will be primarily driven and supported by the user community. To maintain viability, community-driven OSS projects need more backing from the user community to provide the required security patches, maintenance and support. Unfortunately though, not all of these projects are supported the way they need to be, as many security vulnerabilities like Log4j, Heartbleed, Shellshock and others threaten the security and sustainability of community-driven open source projects. CISA’s recent announcement of a new OSS security roadmap underscores these concerns.
Impacted by Open Source Licensing Changes?
Are you looking to centralize human and non-human access? If your organization uses an OSS vault solution, you likely have many questions about the latest license changes and want to explore your migration journey.
If so, join us on Sept. 27 for our webinar covering the recent open source news and next steps for centralizing human and non-human identity security.
John Walsh is a senior product marketing manager at CyberArk.