Before the dotcom bubble bust in the early 2000’s, “irrational exuberance” drove stock valuations for internet companies that offered free services to new highs. At the height of the mania, my dad asked me, “how do these companies make money?” I explained that they will eventually find a way to monetize or about how they will make money off advertising. I felt like he just didn’t get it or that he was stuck in the past. However, I soon learned there was wisdom in his probing question. The companies that didn’t have a solid business plan to derive value from their free services eventually ceased to exist. But, while some of the first internet business models didn’t work, it doesn’t mean that the basic premise wasn’t workable. Google, Facebook, and even Amazon have leveraged free services to disrupt the business landscape in ways that have forced pre-dotcom industry giants, such IBM and Microsoft to adapt and conform.
There are many parallels here to the story of open source software. Open source software is available at no cost with few barriers to access or modify it. This is very much in line with the internet business model, open, accessible, and speedy. Open source is not a new concept, but it is going through an evolution of its own. Traditionally closed source companies now see open source as more than free software and are adapting to this new business paradigm. In this blog, we will explore why, how we got here, ways companies benefit from free software, and what this means to developers and security teams.
The Value of Open Source for Companies
Most companies are not investing in open source for purely charitable reasons, as great as that would be. Back to my dad’s question, “How do these companies make money?” In the case of open source business models, not all benefit is monetary. In the case of open source, the benefit can be increased adoption of software, marketing, blocking a competitor, influence over industry standards, shared development, or recruitment of top engineering talent.
How HeartBleed Elevated the Open Source Conversation
Open source used to be seen as a source of free labor (software) for many people and companies. This started to change in 2014 when the HeartBleed vulnerability exposed the frail condition that the OpenSSL open source community was in without proper support from the people who use it. This vulnerability was the direct result of inadequate investment in the OpenSSL open source community to support the level of usage by major businesses. At the time, OpenSSL only had the equivalent of two fulltime developers to write, maintain, test, and review 500,000 lines of code that were critical to multibillion dollar businesses.
Open Source is About Giving Too
HeartBleed helped major software companies, and the rest of the business world realize how important Open Source is to their business. Most companies benefit greatly from open source projects and stand to benefit more from investing a little more in the projects than they would by writing or buying similar software. Since then, companies like Google started investing in bug hunts for open source projects to help get them much needed QA. In addition, Google, Lyft, IBM, and others heavily invested in major open source projects like Kubernetes to influence standards, the open source landscape, and to prevent other cloud providers from building similar proprietary software. Even historically closed source companies like Microsoft have done an about-face and started to become major open source contributors. At the Red Hat Summit, earlier this month, IBM’s CEO made it clear how critical Open Source is to their strategy and how IBM will adapt to Red Hat, and yes everyone agreed $34B is a lot of money.
The Age of Shared Development
Open source has changed software development from individual businesses purchasing or building everything they need in-house, to a modern complex interdependent open source ecosystem where businesses share development of open source projects that are mutually beneficial. This way, a single company doesn’t need to shoulder the entire development cost or have all the skills needed for the project. Thus the benefit of open source is not directly monetary, but cost savings from offsetting development costs for large and complicated projects.
Closing Thoughts
Open source is still evolving as companies start to understand its value and find ways to integrate it into their business plans. While open source software may not require a purchase order, subscription fees, etc. to use there are other indirect costs and benefits. For example, a company might need to donate developer time to add features or QA an open source project they depend on. Organizations may see indirect benefits from investing heavily in open source software and then giving it away, from gaining influence or market share, offering paid support, to increased usage of their cloud platform or other revenue generator.
But that’s not the point – for developers like us, open source gives us more options, some may say a bigger box of Legos, more to leverage and the ability to build bigger more complex solutions faster, and even making them more secure in the process.
Further Reading
- Check out this blog on open source code of conduct.
- Join our monthly newsletter by filling out this form
- Join the CyberArk Commons to continue the conversation
John Walsh has served the realm as a lord security developer, product manager and open source community manager for more than 15 years, working on cybersecurity products such as Conjur, LDAP, Firewall, JAVA Cyptography, SSH, and PrivX. He has a wife, two kids, and a small patch of land in the greater Boston area, which makes him ineligible to take the black and join the Knight’s Watch, but he’s still an experienced cybersecurity professional and developer.