Open source vs. closed source - what does a company need to consider?
Jan 23, 2022
There is a charming idea behind open source: a developer makes the source code of his software available to the general public. The community may use the code free of charge, check it for errors, modify it and develop it further.
Great software projects have already been created in this way. The entire Linux operating system, for example, is based on open source. This in turn has given rise to impressive derivatives, such as Ubuntu, Red Hat Enterprise Linux and Debian, and variations such as the Android smartphone operating system.
For the developers, this need not be a purely hobbyist activity. Often the projects originate from research and teaching. If their software is popular enough, it is not uncommon for the programmers to open doors at well-known companies. Software giants such as Google maintain their own departments to promote open source.
But as is so often the case in life, there is not just one side to the proverbial coin. Many open source projects have found their way unnoticed into software solutions in the professional environment. This is often not even to save costs, but because the open source software simply does its job well. This proliferation then makes the software a popular target for malware attacks. At the moment, for example, a security hole in the Java library log4j affects an incalculable number of commercial and free software. This should be reason enough for those responsible to consider the advantages and disadvantages of using open source in companies.
Open source and closed source - where are the advantages and what are the disadvantages?
Software development today rarely takes place from scratch. Many developers fall back on ready-made libraries and modules from the corresponding programming language. Therefore, projects are often a mixture of free and non-open source, so-called proprietary software. Basically, however, there are some advantages and disadvantages.
Advantages Open Source:
- Free availability
- Time savings through the use of ready-made modules
- Bugs and security gaps are often quickly noticed by the community
- Transparency of function through traceability of source code
- Good development opportunities through so-called peer review (such as tips and suggestions for improvement from other developers)
Open source disadvantages:
-No guaranteed support
-There is no guarantee that the software has really been tested for bugs and security holes
-Projects can be discontinued unexpectedly
-When distributed widely, software becomes a worthwhile target for attack by hackers
Closed source advantages:
-Fixed contact person and support available
-Guaranteed update cycles and security patches
-Better protection of the intellectual property of developers
-Often more targeted customization to meet customer needs
-Developers are funded directly from the project and can focus on it
Disadvantages Closed Source:
-Higher costs, often follow-up costs for licenses
-Software is usually a "black box", functionality is not comprehensible
-Errors in specialized software are often only discovered late (at the customer)
-dependence on a commercial manufacturer
What types of open source licenses are there?
Even if a developer makes his software available to the general public, he naturally does not lose his copyright on it. Accordingly, there are various open source licensing models. Companies should find out in advance under which license the software used was published. Widespread are:
1. GPL: Very well known is the GNU General Public License (GPL). This exists in different versions. Common are GPLv2 and GPLv3. The software may be used, viewed and modified completely free. However, modifications may only be published if the developer also places them under the same, free license (so-called Copyleft).
2. BSD: The "Berkeley Software Distribution" developed by the University of Berkeley also makes the source code freely available. It may be used in commercial products. However, the note to the original developer and a liability clause, which excludes any warranty claims, must always remain included. Modified software must also be placed under BSD license, but the source code may remain secret.
3. MIT: The license of the Massachusetts Institute of Technology does not contain an obligation to publish used source code under a free license. So licensed products can be used for commercial closed source projects.
4. Apache: Also the Apache license permits a further use in commercial software. Here a reference to the originator of used source code must be included. The license text must be transmitted with each software.
5. freeware: To differentiate, it should be mentioned that freeware is not necessarily open source software. Often it is simply free versions of proprietary software. As a rule, their use for commercial purposes is excluded in the license terms.
In which application scenarios does open source software make sense?
In this day and age, hardly anyone would think of spending money on a web browser or a ZIP program. For individual, clearly defined tasks, the use of open source not only makes sense, but is almost without alternative. Accordingly, software such as Firefox, 7Zip and Notepad++ can certainly be used in companies without hesitation. The important thing here is that there is no "proliferation" of different software. If possible, the person responsible for IT should determine and specify the software. Then, in the next step, he can keep an eye on the development of the corresponding program and react to security risks in good time.
In addition, the use of more complex applications should be well checked in advance. Particularly if key functions of the company are guaranteed with them, such as accounting or production processes. This makes particular sense if a developer is available in the company who has sufficient knowledge to fix any errors that occur themselves if necessary. Even if free operating systems such as Linux are to be used, it is important to have permanently available, experienced administrators. A compromise can be the use of the enterprise offers of "Red Hat" or "Suse". These guarantee professional support for a fee. The more specialized a requirement becomes, the more likely it is that there is no "off-the-shelf" software for it anyway. This certainly applies equally to open source and closed source.
Open source and security
In theory, there are good arguments why open source is more secure. These include the already mentioned debugging by the community and the more efficient testing for errors due to the wider distribution. In return, however, arguments can also be put forward which present closed source software as a more secure alternative. For example, attackers must first decompile the source code at great expense if they want to examine it for errors and exploit them for malicious functions. Permanently available support with patch management can also increase security.
However, practical experience shows that serious security vulnerabilities regularly occur in both commercial and free software. The Log4Shell exploit, for example, could be contrasted with the security vulnerability in Microsoft's Exchange servers that occurred at the beginning of 2021. So, above all, it is important to select software consciously. The selection and permanent checking for known security vulnerabilities are therefore an essential part of a company's security concept. Incidentally, software can also be specifically tested for vulnerabilities in penetration tests.