Open source software is a major component of modern development. Using open source code empowers dev teams to accelerate their delivery timelines and ship finished products more efficiently. In a highly competitive business world, companies need all the advantages they can get. Using open source code allows product-focused organizations to achieve their goals around product timelines efficiently and effectively.
In fact, the benefits of FOSS are so recognized – save time on solving common issues in software, accelerate product delivery, and more – that organizations as large as Microsoft, Apple, and Amazon leverage open source components. It’s estimated that 70% to 90% of most modern software uses open source code today.
The problem is that the exponential growth of open source software creates new challenges and new risks for organizations looking to optimize their competitiveness. One of the biggest issues facing companies today, in fact, is with copy-pasted open source code. Should these code snippets go undetected, companies can introduce vulnerabilities, license issues, and compliance risks that ultimately hinder a strong product pipeline.
Thus, undetected open source code can result in substantial problems. But this is a solvable problem. Before that’s discussed, let’s examine the power of open source code.
Open Source Software: A Long Computing History
Open source software has a long history in modern computing. Prior to the 1970s, all software was open source and widely shared. Companies mostly focused on selling hardware, and the software products were provided as free add-ons. It wasn’t until 1969, when IBM unbundled its software from its hardware, that companies began to move to proprietary software products. This killed the idea of open source for most of the 1970s, except for a few moments like SPICE, TeX, and the Unix operating system.
Unix was distributed among academic institutions in the 1970s after its creation at Bell Labs. It couldn’t be sent to non-license holders, but in the later part of the 1970s, those academic institutions and research institutes shared code back and forth and worked to improve the operating system. This was very much the prototype for modern open source communities.
It wasn’t until 1983, when the GNU Project launched, that the open source movement was reborn in earnest. The goal of the GNU Project was to create an operating system built solely from free and open source components. By 1990, they had gotten close to launching the OS but were still using certain pieces of proprietary software because they didn’t have a free version.
The 1990s saw additional growth in usage, especially as sharing became easier with the advent of the Internet. Open source communities sprouted up online, and by 1994 the launch of Linux 1.0 meant the open source community had very strong backing. Companies and individual volunteers worked hand in hand on maintaining open source code, with certain companies creating forks to have proprietary versions of open source software to maintain their competitive advantage.
In the late 1990s and early 2000s, corporations began releasing their software as open source. Netscape released one of the first open source corporate products in 1998, and Mozilla Firefox was released not long after. The Linux Foundation was created in 2000, and the Free Software Foundation that was created alongside the GNU project in the 1980s saw its membership grow.
Today, open source communities feature professionals from some of the largest companies in the world. In January 2023, for example, nearly 1,000 Google employees participated in open source software projects. Roughly 900 employees of Red Hat participated in the same month, according to the Open Source Contributor Index. Contributions from these major corporations and bankrolling of open source communities from the same has resulted in a thriving ecosystem of open source software.
And there is substantial growth in the open source community as well. It’s viewed as a way for entry-level developers to show their skills, and provides opportunity for continued advancement for programmers at any stage in their career. The FOSS movement is going strong, and corporations have included open source in multiple major products. Open-source software is growing, and will likely continue to do so.
Open Source Software (FOSS) Benefits
Open source software offers substantial benefits to organizations who use it. Primary among these are the time savings. Using open source code in software development means that engineers don’t have to spend time solving the same problem over and over again. There are innumerable open source logging utilities, for example, and other common software components. The Apache Software Foundation, for example, has 362 open source projects under its auspices.
Developers who leverage open source software can immediately work on extending the value of these repositories rather than rebuilding the basics. This saves a lot of time on development cycles, and speeds time to market when stitching multiple components of open source code for basic functionality.
Moreover, open-source code benefits from having multiple eyes on it. The code is often cleaner and more stable from a functionality perspective, resulting in an overall higher quality. Bringing open-source software into a project means that it gets the benefit of hundreds of thousands of work hours from skilled engineers around the world. The end result here is a higher quality build at a faster speed because of how many quality checks and community review that open source software experiences.
Open source is also often more secure than proprietary software. Linus Torvalds, the creator of the Linux operating system, propagated the “many eyes” theory of software development in the open source community. The idea here is that open source software is publicly available and can have code changes committed from multiple quarters. Because the code is freely available for revisions and updates, white hat hackers can review and suggest security changes – thus making FOSS some of the most secure and stable software in the world.
Organizations by and large recognize the value of open source software. A recent Forrester report, for example, found that 68% of companies view open source as “very important” or “mission critical” to their digital transformation initiatives. Further, in the same study, it was revealed that 96% of companies have a policy around using open source software in their development lifecycle. Overall, it is an acknowledged truth that using open source code benefits companies across multiple dimensions. It is becoming increasingly rare to find an organization that does not, in fact, leverage open source software in some way.
The Perils of Open Source Software
For all its benefits, open source also has some drawbacks. Among these are a lack of direction in the projects, time commitment required of creators, and potential security flaws. There can also be a lack of accountability and minimal support in case of the software becoming nonfunctional.
Most open source projects began as sidework from professional programmers. When they are adopted and updated by the community, there is often no one directing the development of the open source project. This decentralization is good from a development and improvement perspective, but it’s easy for open source projects to skew off in different directions. In a sense, the community development offers the ability to have richer code, but it can be ill defined in terms of direction.
Open source software also requires a substantial time commitment. These projects are worked on by programmers often in their spare time, and require community members to spend a lot of time working on them and improving them. Tidelift interviewed developers in 2019 about how much time they spend working on open source projects, and 36% of survey respondents said they contributed more than once per week. Fully 84% of the respondent pool viewed themselves as regular contributors to open source. Only 3% of developers in the survey said they never contributed to open source projects at all.
Of the people who Tidelift interviewed, 61% contribute anywhere up to five hours of their time per week to open source projects. What’s interesting is that 25% of people surveyed would contribute more than 20 hours per week to open source projects if they were fairly compensated for the work. This is a major issue of open source software. It requires a substantial time commitment in many cases, and there is no reliable way to compensate community members for their contributions to these projects.
The decentralized nature of open source communities can also lead to a lack of accountability. There’s no single person defined as responsible for supporting the software. If there’s an issue with proprietary software, organizations can contact the corporation’s support department for resolution. With open source, there isn’t a centralized support operation. There is some support from the community if the project breaks, but overall there isn’t a single defined person who is accountable for the overall health of the project. This can be a major issue for users of open source projects.
Another issue is license compliance. Open source projects typically have specific requirements for how the code is used. These licenses can restrict how the open source code is distributed, and in some cases they might have strong implications on derivative work. License noncompliance can result in significant penalties, up to and included lawsuits for not complying with the terms of the open source software license. Noncompliance with these software licenses, even unintentional noncompliance, can thus create substantial financial and operational risk.
Security issues are also often an problem in open source software. Not every project is the Linux OS that has a lot of contributors. Many of them have very few collaborators, which could result in issues down the road. One recent security vulnerability in an open source project that shows how big the issues can be is the Log4Shell incident of December 2021.
In November 2021, Log4Shell was discovered by a developer at Alibaba Cloud and reported to the Apache Software Foundation. The vulnerability allows attackers to execute arbitrary Java code on a computer or leak sensitive information, taking advantage of Log4j allowing requests to arbitrary LDAP and JNDI servers. The widespread use of Log4j in multiple distinct pieces of software meant that there were hundreds of thousands of companies who were vulnerable to this exploit without knowing they were. Ultimately, the vulnerability was patched over time by the people maintaining the project, but this issue had existed in the logging utility since at least 2013. That it went unpatched for so long is indicative of how it’s possible for Torvalds “many eyes” theory of security to falter.
Open source software provides substantial benefits to developers and to companies. Ultimately, however, companies need to understand the risks as well. These security issues and operational challenges means that organizations who wish to use open source should account for them in the process of doing so.
How FossID Optimizes Open Source Software
Copying and pasting open source into your products without revision is one of the most substantial ways for compliance risks to be introduced. It’s critical to have control and visibility over all open source software components, files, and snippets in your codebase, and to ensure that they align with your organization’s strategic imperatives.
Companies need a way to detect copy-pasted code snippets in their software, thus avoiding the risks of noncompliance and countering the possible impact of security vulnerabilities. Software composition analysis products are designed to empower organizations to account for these risks through detecting open source code snippets.
FossID Workbench is designed to counter these risks of license non-compliance. Workbench scans leverage cryptographic hashes for maximum security, verifying open source license compliance without accessing your source code. It’s also supported with a dedicated research team who has collected over 150 million components from more than 60 public sources and user contribution sites like GitHub and StackOverflow. FossID’s solution is also designed to scan software and detect code snippets as small as six lines in your software.
Workbench then allows users to build a software bill of materials and ensure license compliance right within the product. FossID customers gain complete visibility into their open source software components, including the ability to deploy open source policies and understand any security risks inherent in the code. This provides the full visibility needed to maximize the benefits of open source and minimize the risks of using prebuilt FOSS components within your proprietary software product.
At FossID, we understand the complexities and importance of detecting snippets in your codebase. Our Software Composition Analysis (SCA) solution provides the highest level of open source detection capabilities and is designed to meet the strict requirements of license compliance, privacy, and confidentiality. Our goal is to help organizations streamline their open source software management process, reduce risk and complexity, and maximize growth and competitive advantage.
We want to enable customers to make the most out of the benefits that open source software brings, by enabling them to find as much open source in their code base as possible, so that they are in control of their software product/service and have the means to police and mitigate compliance and security risks.
FossID Workbench was developed to counter the problem of license noncompliance through radical visibility. By creating strong software bills of materials through software composition analysis, FossID empowers customers to comply with licenses, understand security vulnerabilities, and ultimately craft richer software for their users. Truly with FossID, companies can maximize the benefits of open source and minimize the risks.
Final Thoughts
From its roots in the 1960s to its renaissance in the 1980s, open source software has a long and storied history. Companies who use it save money and get higher-quality code that accelerates their development pipeline. Open source software is enormously beneficial to organizations seeking to streamline their development processes. Many, many companies make use of this code to save money, save time, and ultimately bring in higher quality code overall. Within those benefits, however, are the risks of license noncompliance, security vulnerabilities, and interruption to the development pipeline from unintended consequences.
Regardless of the issues, open source is here to stay. FossID was developed to empower companies to make the best products they possibly can while also accounting for open source licensing and other compliance risks. Using open source can and should be straightforward for companies. FossID helps make it that way.
