Open source software (OSS) is software that is distributed with its source code, making it available for use, modification, and distribution with its original rights. Source code is the part of software that most computer users don’t ever see; it’s the code computer programmers manipulate to control how a program or application behaves. Programmers who have access to source code can change a program by adding to it, changing it, or fixing parts of it that aren’t working properly. OSS typically includes a license that allows programmers to modify the software to best fit their needs and control how the software can be distributed.
The idea of making source code freely available originated in 1983 from an ideological movement informally founded by Richard Stallman, a programmer at MIT. Stallman believed that software should be accessible to programmers so they could modify it as they wished, with the goal of understanding it, learning about it, and improving it.i Stallman began releasing free code under his own license, called the GNU Public License. This new approach and ideology surrounding software creation took hold and eventually led to the formation of the Open Source Initiative in 1998.i
The Open Source Initiative (OSI) was created to promote and protect open source software and communities.ii In short, the OSI acts as a central informational and governing repository of open source software. It provides rules and guidelines for how to use and interact with OSS, as well as providing code licensing information, support, definitions, and general community collaboration to help make the use and treatment of open source understandable and ethical.ii
Open source code is usually stored in a public repository and shared publicly. Anyone can access the repository to use the code independently or contribute improvements to the design and functionality of the overall project.
OSS usually comes with a distribution license. This license includes terms that define how developers can use, study, modify, and most importantly, distribute the software.iii According to the Black Duck® KnowledgeBase, five of the most popular licenses are:
The short answer is no. With multiple parties making modifications and improvements, it’s inevitable that open source software will contain quality, performance, and security flaws. However, the broad base of code contributors can also mean that bugs are identified and fixed faster.
No matter the type of software—open source or commercial—code flaws will exist. The main difference is who is responsible for fixing the bugs; for commercial software, vendors are responsible, whereas the consumer is responsible for open source software. With a robust set of AppSec tools and practices in place, OSS can be easily secured.
Factors |
Open source |
Closed source |
Price |
Available for nominal or zero licensing and usage charges. |
Cost varies based upon the scale of the software. |
Freedom to customize |
Completely customizable but it depends on the open source license. Requires in-house expertise. |
Change requests must be made to the company selling the software. This includes bug fixes, features, and enhancements. |
User-friendliness |
Typically less user-friendly, but it can depend on the goals of the project and those maintaining it. |
Typically more user-friendly. As a for-profit product, adoptability and user experience are often key considerations. |
After-sales support |
Some very popular pieces of open source software (e.g., OSS distributed by Red Hat or SUSE) have plenty of support. Otherwise, users can find help through user forums and mailing lists. |
Dedicated support teams are in place. The level of service available depends on the service-level agreement (SLA). |
Security |
Source code is open for review by anyone and everyone. There is a widespread theory that more eyes on the code makes it harder for bugs to survive. However, security bugs and flaws may still exist and pose significant risk. |
The company distributing the software (i.e., software owner) guarantees a certain level of support, depending on the terms of the SLA. Because the source code is closed for review, there can be security issues. If issues are found, the software distributor is responsible for fixing them. |
Vendor lock-in |
No vendor lock-in due to the associated cost. Integration into systems may create technical dependency. |
In most cases, large investments are made in proprietary software. Switching to a different vendor or to an open source solution can be costly. |
Stability |
This will depend on the current user base, the parties maintaining the software, and the number of years in the market. |
Older, market-based solutions are more stable. New products have similar challenges as open source products. If a distributor discontinues an application, the customer may be out of luck. |
Popularity |
Some open source solutions are very popular and are even market leaders (e.g., Linux, Apache). |
In some industries, proprietary software is more popular, especially if it has been in the market for many years. |
Total cost of ownership (TCO) |
TCO is lower and upfront due to minimal or no usage cost, and depends on the level of maintenance required. |
TCO is much higher and depends on the size of the user base. |
Community participation |
The community participating in development, review, critique, and enhancement of the software is the essence of open source. |
Closed community. |
Interoperability with other open source software |
This will depend on the level of maintenance and goals of the group, but it is typically better than closed source software. |
This will depend on the development standards. |
Tax calculation |
Difficult due to undefined monetary value. |
Definite. |
Enhancements or new features |
Can be developed by the user if needed. |
Request must be made to the software owner. |
Suitability for production environment |
OSS might not be technically well-designed or tested in a large-scale production environment. |
Most proprietary software goes through multiple rounds of testing. However, things can still go wrong when deployed in a production environment. |
Financial institution considerations |
The financial industry tends to avoid open source solutions. If used, a vetting process must take place. |
Financial institutions prefer proprietary software. |
Warranty |
No warranty available. |
Best for companies with security policies requiring a warranty and liability indemnity. |
Pros of open source software
While open source software offers a multitude of benefits, it introduces a whole new level of software risk management. It is critical that an organization utilizing OSS, or acquiring codebases that contain OSS in a merger or acquisition, truly understand what is in their code so they can effectively manage and secure it. The Black Duck solution suite offers complete open source coverage, so you can use OSS confidently.
If you want to learn more about open source risk and how to mitigate it, here are some steps you can take:
By taking these steps, you can learn more about open source risk and take the necessary steps to mitigate it, ensuring the security and compliance of your organization's software.
Software composition analysis (SCA) tools help teams manage the security, quality, and license compliance risks that come with the use of open source and third-party code in applications and containers. SCA helps you understand what’s in your code, and provides a comprehensive software bill of materials (BOM).
Black Duck Audit Services provide fast analysis of open source, legal, security, and quality risks for merger and acquisition due diligence or internal reporting. Black Duck offers several audits:
- This glossary was reviewed by Mike McGuire.
i https://www.wired.com/story/wired-guide-open-source-software/
ii https://opensource.org/history
iii https://opensource.com/resources/what-open-source
iv https://www.thebalancecareers.com/what-is-open-source-software-2071941
v https://www.howtogeek.com/129967/htg-explains-what-is-open-source-software-and-why-you-should-care/
vi https://www.nibusinessinfo.co.uk/content/disadvantages-open-source-software
Download the supply chain security solution guide
See why Black Duck is a software composition analysis Leader