Some commentary on a recent survey commissioned from my work, VMware.

Unsurprisingly, open source is used by almost everyone. When it comes to what I care about software development, open source is indispensable. In fact, it’s hard to imagine a developer who only uses closed source software, if not whole systems like kubernetes or Cloud Foundry for running their applications. It’d almost be impossible. 

And, indeed, in our State of the Software Supply Chain survey this year, 2022, 90% of respondents said they were using open source in production.

Still, I wonder what those other 10% are doing! 

Do they write all their own software? They’re not running Linux in production I guess, either. 

What’s holding those 10% back?

• 44% selected we’re still figuring out how to manage OSS in production. 
• 38% chose we don’t see sufficient support for open source software in production environments
• 34% chose we don’t trust open source software for production environments.

Benefits

There’s so much they’re missing out on. For all this praise about open source for me, what are the benefits of using open source? 

80% of people said reduced costs. Now, a lot of people will tell you that open source isn’t free. What they mean is that the cost of labor to use and maintaining it (upgrading and security patching) in staff time and pay…but clearly people are benefiting from open source overall being cheap. And, of course, many companies pay for commercial support and closed source tools for the open source stuff they use.

Cost was also the number one benefit in our 2021 survey. 

The other benefits were flexibility, support from a large community, and developer productivity. 

All of these are the promises of open source and what we’ve come to expect over the decades. Indeed, if you look the reasons people chose open source and then the benefits they got, those expectations pretty much line up. For example, 50% of people said they expected developer productivity as a benefit, and 52% got that benefit.

Problems: Security

Let’s look at the concerns people have. 

Security is what we should really dig into since it’s such a big concern. Now, I don’t think the concerns about security mean that open source is NOT secure. I don’t really think that’s the case at all. I think open source tends to be as secure as any other type of software, closed or run in the public cloud. What’s important is that you have the right process, packaging, and management in place. Again, this is important for anytime of software. Open source software is as secure, or, if you like, as insecure as closed source software. Make sure to get the right tools in place.

I want to add my own criteria for using open source that you should consider: make sure there’s a thriving, well supported community that you can depend on for the long-term. There’s two reasons for this: you want to make sure you’ll get community-based support when you’re learning how to use the OSS and troubleshoot it. Also, you want to make sure over the years that new, innovative features are added.

A thriving community will address these criteria.

Packaging and management

What you want to do is make sure that community and the vendors and cloud services you work with prioritize getting updates and patches out for their open source packages and services. And this is about more than “security”: it’s just upgrading to new versions of the projects you use to get new features and performance improvements. 

You want to have the processes and tools in place to deploy those updates as soon as possible, ideally without taking down production and stopping the business from running.

The container-based applications that run in kubernetes and Cloud Foundry - both open source! - provide excellent ways to do this nowadays. For example, the US bank Wells Fargo runs many applications in containers and because of how open source is packaged and managed in their platform, they’re able to deploy updates multiple times a week without disrupting their applications and, thus, business. I’ve seen this across banks, government agency, retailers: you name it.

So what you see in our second survey, here, is that with the right tools and process in place, and managing how your open source is packaged, you can get tremendous benefits from cost savings to developer productivity. The added bonus is that these same controls for open source can be applied to your own code and software. Securing open source is important, but the more important problem to solve is securing your own software. That comes down to the same thing: tools, process, and package management.

Once you have those controls in place, you can get that innovation engine going.