Open Source Software Carries Hidden Costs
Open source software can save bundles in licensing and development costs. Whether you’re using the open-source Linux operating system or a content management platform like WordPress or Drupal, open source software provides quality tools for little or no cost.
But that doesn’t mean it’s free.
“It’s free – like a puppy,” said Scott Gregory, deputy director of the Office of Digital Innovation for the State of California’s Department of Technology (CDT). “You’ve still got to give it shots. You’ve still got to care for it.”
For information technology departments, that means ensuring that systems updates and security patches are installed and that applications and plug-ins remain up-to-date. And when something goes wrong, it’s you, the IT manager, who’s responsible for getting it fixed.
What Open Source provides is a means to focus resources. The New York Times and CNN, for example, both use WordPress to host their blogs. Roughly one in four websites runs on WordPress (so does GovTechWorks) because that large installed base has created a vibrant worldwide community that’s constantly developing add-ons, extensions and improvements. Some are free, some are not. But either way, users have a lot of options.
That’s the magic of open source software.
CDT has built procedures and protocols to test open source WordPress plug-ins for an internal web publishing platform, centralizing a mandatory review process before any extensions are made available to its IT community. That testing takes time, money and resources – another reason open source software is not totally free.
Not all open source software is equal. Gregory studies every open source solution he examines to determine the strength and reliability of its user community. The larger and more active that community is, the more reliable the software will be. In addition to WordPress, he cited Drupal, a content management system with millions of actively engaged developers, as another good example.
Once open source software is cleared by the California Technology Department, Gregory said, the state tries to make it easy for users to try it out. A state-run Innovation Lab offers a secure cloud where government developers can build tools and applications using Open Source software, testing them in a virtualized environment. That sandbox gives developers an opportunity to see how things work without putting real systems at risk.
Eric Mill, a senior advisor on technology for the GSA’s Technology Transformation Service (TTS), said Open Source is a critical piece of what the service is trying to do – push down costs and streamline development timelines – it is not a cure-all. There are no great open source email systems, for example, so there may be no escaping large-scale proprietary solutions.
But Open Source excels in many areas. Much of the web and web services are built on open source software, he noted, so if a project involves creating and publishing a web site, his team is likely to do it using open source tools.
Case in point: analytics.usa.gov is a site that aggregates and displays web traffic on federal web sites. The site programming was written to keep the user-facing front end separate from the data-crunching back end, making it easier for others to reuse parts in subsequent projects. Code for the site was shared on GitHub, a site popular with developers for sharing open source software.
While a supplier of open source software, GSA doesn’t commit to supporting it all by itself. That is left to the community, which is why Mill noted that looking at the level of activity in a group is so important. If an available tool has not been updated in a while, it’s probably not a good candidate to depend on. Conversely, a lively community is much more likely to reliably support its open source platform.
For its part, GSA’s TTS actively contributes to the communities it draws from, illustrating how open source support works: people and organizations notice a problem, work out a fix, test it, and then give it to others.
Mill said such support communities are like an ecosystem in which everyone potentially has a role. “If you have the capability to participate in that ecosystem, then that’s something you can consider doing. The community, which in a lot of cases may be other companies, is collectively the support system for that project,” Mill said.
There’s also another important element. Since WordPress, Drupal, and Linux are all well-known and widely used examples of open source software, the support demands are high. However, most open source tools are much less widely used and may be much more specific to the problems they solve. Such tools do not have the same community activity or need the same level of support as the big boys.
As for where Open Source may be headed in the future in a public sector context and what that means in terms of support, Ann Duncan, chief information officer of the U.S. Environmental Protection Agency (EPA), said, “One of the things we’ve been trying to embrace is using open source software as much as we can, as much as makes sense in our work.”
Open Source programming is considered for all new programs and those undergoing complete replacement, she added. The motivation? Often the end result saves money, even if it’s necessary to purchase support.
The EPA has some specialized needs, such as its regulatory responsibilities. But it also has many business processes no different than what is used elsewhere, Duncan said. Those processes could have possible open source solutions.
What’s important is for everyone to understand is that the security of Open Source applications has to be treated as “unknown.” By definition, its sources are “untrusted.” And although the largest communities work hard to police themselves, there’s always the chance a bad actor could inject nefarious code into an Open Source platform.
“DHS recognized the need for Software Security early,” said Bernie Thuman, principal software solutions engineer with integrator General Dynamics Information Technology. “They created CarWash and SWAMP – their equivalent of security scanning to help insure the integrity of commercially developed applications.”
Open Source offers the opportunity for customization, which can be both a benefit and a curse. The allure of tweaking software to fit particular use cases is powerful, but can turn an open and supported system into a one-off solution. Eventually, the level of customization may reach a point where moving to the next version of the underlying software becomes effectively impossible.
Duncan noted that every place she’s worked considered itself special and deserving of specialized solutions. But in most cases users should adapt to new systems, not the other way around if they are going to reap the greatest benefits of Open Source. Every organization hires people, pays bills, handles expense reports and the like. These are processes that lend themselves to open source solutions.
“You make that business process fit the software rather than the other way around, because software generally is going to follow industry best practices,” Duncan said. And save precious development resources for truly mission-critical requirements.