Mitigate the Cost and Risk of Developing on Open Source Software

关键词：降低成本、规避风险
The star performer in many enterprise IT shops is open source. Twenty years ago, who could have predicted the billions of dollars in value generated by contributions to Linux and the Apache Foundation alone, much less the ecosystem of projects that have grown up into mature software products around it?

Open source software is a beautiful thing. Practically free, transparently brought into the world, and hardened by concerned communities of developers. But developing your own business software on top of open source is not all “Kum-ba-ya” and sunshine. This free software isn’t entirely free or without risk.

Get ready for a show, because open source development can come with some drama attached.

Companies embarking on critical business projects that utilize open source need to weigh the hidden costs, quality risks, and challenges of working with this now mature, but entirely unique class of software.

Behind the Scenes: Cost or Quality Motivation?

The market has spoken. More than 98% of developers now say they use open source software in their job. Many enterprises are following this demand, making a strategic decision to leverage open source frameworks and tools for development and testing efforts, wherever they make sense.

Open source software is no longer solely the domain of hardcore DIY development. By contrast, many open source DevTest tools have usability that approaches commercial quality as each product is improved and hardened by the community and commercial open source firms—and well-cataloged with free libraries and templates in GitHub and elsewhere.

We’ll always have more Junit and Selenium tests ready to load. More SOAPUI and Postman code to add value on top of. More ready-to-download Maven components, and code snippets on Stack Overflow. More Jenkins build scripts and Chef recipes.

Open source innately delivered IT cost advantages versus proprietary software. The most obvious of which was eliminating draconian licensing contracts. If your teams can freely download the code and democratically use or modify these tools for their own purposes, why pay a vendor? (We’ll get to that part.)

And conversely, why are companies like IBM, Microsoft, Google and Facebook foregoing license fees to contribute their IP to foundational dev/test tools under open source licenses? Whether Eclipse or Visual Studio, Kubernetes or React, these titans are also open source believers, striving for developer mindshare and net adoption of once-proprietary ideas.

Clearly, there are more factors than bottom line license cost savings at play in this scene, or you wouldn’t see so many major vendors and commercial open source companies heavily investing in source projects.

Pay Your Dues With Premium Labor

When you build atop open source frameworks and components, you may bypass certain licensing costs, but you’re essentially investing in an annuity with your development hours as you create more assets, and dependency upon the selected toolchain.

To continue drawing value out of this investment, companies must attract and retain skilled (meaning, likely rather expensive) talent for proactively managing the use of open source products in relation to the software and services built atop them.

People who understand the interconnected nature of the company’s code with the current state of open source tools seldom have spare time, which drives an increased labor cost for implementation, configuration management, testing, and monitoring.

Fortunately, we have two levers for keeping labor costs down: contribution and automation. More than 55% of all developers now say they regularly contribute to open source projects, and indeed, most of these developers consider the freedom to contribute to open source as an essential job satisfaction element.

Allowing contribution is an incentive that helps attract and retain development employees, and pays back dividends in terms of better awareness and guidance of open source projects.

Perhaps even more significant to controlling labor costs is a relentless focus on automation, one of the core tenets of the DevOps movement. Getting better reuse of development, build and test artifacts is the quickest path to value for many companies.

“We built our Jtest and Selenic products to support open source Junit and Selenium frameworks in a vendor-neutral manner, meaning developers and testers can seamlessly plug in the Parasoft tools without becoming ‘vendor locked’.” said Mark Lambert, VP of Products at software quality firm Parasoft.

“In addition, when teams need to go beyond what open source tools, such as SOAPUI and Postman can provide, we ingest the tests from these tools and transition the team’s existing test investment into larger automated tests that span multiple tiers and go beyond REST support.”

Involvement through developer contribution with reuse and automation keeps companies ready for the sequel at all times.

Achieve Compliance Without Surprises

After dozens of high-profile software failures and data breaches, governments and industry groups are calling for higher accountability levels for software—both for data privacy such as GDPR in the EU, and industry-specific regulations such as HIPAA for healthcare, and PCI for banking.

Cybersecurity company, Sonatype, recently reported that more than 10,000 companies, including 57% of the Fortune 1000, have downloaded the same vulnerable version of Apache Struts, which exposed the massive Equifax customer data breach.

To address compliance risks, companies must provide auditable documentation of the complete software delivery process, including demonstrating secure data handling and change controls. Failure to do so can result in multi-billion dollar fines. It’s a hit to the value of a company that can even be felt in the boardroom.

That can be difficult in an environment where developers are downloading and copying billions of components and code snippets a year from open source libraries.

Continuous automated testing needs to happen at every software change event. Beyond that, you need to generate a complete report out of that process with the context to do something about any exposed failure or security risks that arise.

Let’s say your latest software delivery audit uncovers that “something is wrong” in the staging environment, and you need a patch or update to fix it right away. Who do you call?

Open Source With Commercial Support

Savvy CIOs and development leaders understand that while open source software can alleviate draconian vendor contracts and lock-in, developing solutions atop it—at enterprise scale—still requires a path forward with commercial support.

There’s always a possibility that a popular open source project goes awry or becomes yesterday’s news. What happens if the dev community moves on to greener pastures and neglects the tools they worked on yesterday?

Someone will need to be on the hook—and stand behind releases with necessary updates and assurances that the open source components in play are fit for purpose. An ecosystem of development and test vendors has formed around these considerations. At times when the customer needs to certify the integrity of the open source tools—or the enterprise-level support of the integrations, services, and tests that are running atop them—the customer can sign on with a vendor to take responsibility for success.

In addition to this new ethos of commercial-supported open source, vendors often provide a free cost-of-entry to commercial tools for individual developer education and contribution efforts. For instance, there is a no-cost “Community Edition” of the Virtualize product, so developers, testers and SREs can learn about service virtualization while building and documenting virtual test environments to promote collaboration.

The Intellyx Take

Open source frameworks may steal the show for delivering value in your IT shop while intriguing developers to get involved, but it doesn’t need to become a prima donna as a result.

Enterprises must go beyond simplistic bottom-line cost models or ROI calculations to consider the complete customer and employee experience. It’s delivered by working with an entire estate of both commercial and open source tools, while also looking to the service organizations and communities behind them to help mitigate risk.

Look for easy handholds to get started, get individual developers and testers up to speed, and reuse open source assets.

Verify and certify your environment continuously. Predictable automation and transparency will eliminate the drama of open source every time.