A Complete Guide to Open Source Software in Enterprise

What is open source software?

Open source refers to free-to-use software that anyone can access and modify. Open source code is publicly accessible for developers to incorporate into their applications. It typically relies on a community to develop, distribute, and maintain the software.

This community development approach relies on regular peer reviews, enabling developers to contribute to collaborative, decentralized projects. Open source code saves time for developers because it gives them access to software functionality without having to develop it themselves. It is more flexible and customizable. Many open source projects are backed by large development communities that can provide superior innovation and support compared with a single software vendor.

The open source movement has become a dominant software development approach that extends far beyond its initial purpose of code production. The decentralized development model of open source communities enables diverse contributors to improve software and identify new solutions to bugs and security vulnerabilities.

A brief history of open source software

In the early days of software development, programmers often shared software to learn from each other and expand the collective knowledge base of the computer programming field. In 1979, David Knuth introduced the TeX typesetting program into the newly formed Free Software Foundation (FSF). Richard Stallman followed in 1983 with his GNU operating system. Netscape was an early free web browser containing source code developers would later use to build open source software projects such as the Mozilla Firefox web browser, which is still widely used today.

Eventually, the Open Source Initiative (OSI) replaced the FSF, as several software developers came together to create software that others could share, improve, and redistribute freely.

There have been some critics of the open source movement. For example, in 2001, Jim Allchin from Microsoft attacked OSI for destroying intellectual property. Since then, major companies such as  Microsoft have embraced open source. Open source software is now widely considered a crucial part of software development.

There are many organizations involved in open source projects. Nonprofits, funders, and contributors include WordPress, Linux, Creative Commons, Mozilla, and the Android Open Source Project.

Open source vs. closed source software

Closed source software (also called custom code or proprietary code) is encrypted and protected, which prevents unauthorized users from using or viewing the source code. Any attempts to modify, delete, or copy closed code components can result in legal repercussions or voiding the warranty.

In contrast, open source software allows users to copy, delete, or modify code components, keeping the code open so that others can include this code in their program, according to the licensing granted by the open source code creators.

Additional guides on key open source topics

Closed source software Open source software
The creators of closed source code are responsible for developing and fixing their software. They can decide whether to continue ongoing development or stop supporting the project. Open source software operates under a mass collaboration model in which a community of creators contributes to the project’s development. Projects supported by an active community regularly release new features, fixes, and updates.
Support Closed source software is supported by a commercial company with the resources to provide various support options. Closed source vendors and service providers typically offer support manuals, FAQ pages, and contact options via email or a support ticket. Response time may vary but often does not surpass one business day. Open source projects rely on a community of contributors. As a result, these projects cannot offer direct support options. Open source support is usually limited to forums, articles, or hiring experts.
Usability Closed source software undergoes usability testing to ensure a positive experience. The vendor provides a manual for reference, quick training, and support options. Many vendors also allow third-party integrations and add ons to extend usability. Open source software typically does not undergo usability testing. Manuals and user guides are optional, and when provided, these guides typically do not consider the layperson, offering mainly jargon-filled information.
Security With closed source software, only the official vendor is authorized to fix security issues. Users can send a ticket and wait for a replay from the support team. As a result, it may take longer to resolve security issues. Anyone in the open source community can view, modify, and share the project’s code. As a result, actively supported projects have many people who can fix, test, and upgrade the code. The community can quickly fix bugs and check the code thoroughly post-release. However, open source software is vulnerable to malicious exploitation due to its open nature.
Cost Closed source software is not offered for free. Vendors offer various pricing models, such as subscriptions and on-demand purchases, to allow use of closed source products. Open source software often offers the core functionality for free. However, many open source projects charge for additional features, added functionality, or support.
Flexibility Closed source software offers limited flexibility, which typically applies only to extending the front end. Closed source software functionality is offered as-is, and any changes can void the warranty or result in legal repercussions. Open source software usually allows a high level of flexibility, allowing users to modify the functionality and add community-created features modifications. Due to this flexibility, open source software tends to scale up more easily.

What are open source licenses?

 

Open source licenses grant specific permissions to use, modify, and share open source software. There are 80-plus types of open source licenses, each offering different rights and limitations. However, the majority of open source licenses are categorized into two main licensing types:

  • Copyleft license—an open source license stipulating that any code derived from an open source project inherits its licensing terms.
  • Permissive license—an open source license that offers extended freedom for reusing, modifying, and distributing code derived from the open source project.

Popular copyleft open source licenses

GNU General Public License (GPL)

The GNU’s General Public License (GPL) is a popular copyleft open source license. It was conceived by Richard Stallman to prevent GNU software from becoming proprietary.

GPL stipulates that any software using GPL components must be released as open source, regardless of the percentage of GPL components in the code. It means any project using GPL components must release the entire source code as open source with rights to modify and distribute the new project.


Affero GPL (AGPL)

AGPL adds one clause on top of the GPL license. It was created to close a loophole in the GPL license, which looks at software distributed over a network as not explicitly distributed. AGPL adds a remote network interaction clause that closes this loophole. It means the GPL license applies to any software used over the network.


Eclipse Public License (EPL)

The EPL open source license is derived from the Common Public License (CPL). This copyleft license was developed by the Eclipse Foundation and applied to the Eclipse code base, which was formerly licensed under the CPL.

Here are the key requirements of this license:

  • Modification—any EPL-licensed components modified and distributed in a different source code and program require the author to disclose all modified code under the EPL.
  • Distribution— Developers that distribute a program with EPL components in its object code form must state that recipients can request and receive the source code, and state the method for these requests.

The EPL protects the author from lawsuits or damages caused if a company used the author’s component in a commercial product. It also offers a patent grant.


Mozilla Public License (MPL)

The MPL is a copyleft open source software license that allows modification and use of Mozilla code in proprietary and closed source software. However, authors must keep this code in separate files that are distributed with the software. It also includes patent grants and ensures that copyright notices are retained.

 

Popular Permissive Licenses

The Apache License

The Apache Software Foundation (ASF) released the Apache License as a permissive open source software license that allows authors to freely use, modify, and distribute Apache-licensed products. The Apache License is highly popular and backed by an active community.


MIT License

The Massachusetts Institute of Technology (MIT) created the MIT license in the late 1980s. It is a permissive open source license that allows authors to use, modify, and distribute MIT-licensed software. However, authors must add a copy of the MIT license and a copyright notice linking the project to the original work. The MIT License is highly popular, but it does not expressly grant patent rights.


BSD License

The Berkeley Software Distribution (BSD) license allows authors to use, modify, and distribute open source software. However, it requires authors to include the license text and copyright notice. The BSD includes several licenses that differ in terms of restrictions and the number of clauses.

The most popular version is the BSD 3-Clause License, also known as the New BSD License or Modified BSD License. It is similar to the MIT license, but includes a non-endorsement clause that prohibits any distributed derivative work from using the original code’s author or contributors’ names for promotional purposes.

Learn more in the detailed guide to open source licenses

What is an open source software policy?

 

An open source software policy provides a standard that informs all personnel and relevant parties on the proper use of open source components. It standardizes open source practices and tools across the organization. The goal is to maximize the benefits and impact of open source code  and address technical, business, and legal risks related to open source.

Due to specific business objectives and compliance requirements, open source policies can vary greatly between companies and industries. However, most organizations can incorporate the below core practices into their policy to meet standard legal requirements.

Identify and educate stakeholders

An open source policy aims to help an entire organization standardize open source practices. It can only work if relevant personnel and parties truly understand and implement the policy. It requires companies to identify key stakeholders, such as technical, business, and legal staff, and provide training and education resources to help them understand the policy.


Identify business requirements for open source use

An open source policy aims to help an entire organization standardize open source practices. It can only work if relevant personnel and parties truly understand and implement the policy. It requires companies to identify key stakeholders, such as technical, business, and legal staff, and provide training and education resources to help them understand the policy.


Identify open source code and usage

An open source policy should cover specific aspects that introduce open source risks. It requires companies to identify all open source components that the organization uses, contributes, distributes, and modifies, and all licenses that govern these components. Each component introduces different legal risks, allowing specific usage, external distribution, and software as a service deployments.


Standardize approval and release procedures for open source code

An open source policy should standardize proper procedures and considerations for approving and releasing any company-developed software under an open source license. It should also include standards for contributing to or creating managed open source projects. Additionally, the policy should define specific criteria for choosing open source licensing.

Common security best practices to help you secure open source software

Monitor for vulnerabilities and updates

Proprietary software vendors usually push updates, while open source projects do not necessarily do so. Support is limited in open source. As a result, organizations using open source components need to monitor for vulnerabilities and updates to ensure that all components are patched and remediated timely.

Organizations can use vulnerability and threat intelligence feeds to keep their software updated. These feeds send alerts when issues are reported and also offer remediation information. Project community communications, such as newsletters and forums, also offer updates on vulnerabilities and threats, but many report vulnerabilities only internally.

Learn more in these detailed guides: 


Open source vulnerability scanning

Vulnerability scanners are automated tools that continuously and proactively inspect code for known vulnerabilities in open source components. It helps identify vulnerabilities, security weaknesses, licensing issues, and code quality issues. Here are key benefits of open source vulnerability scanning:

  • Identify known vulnerabilities in open source software—this information enables you to close security gaps and maintain a strong security posture
  • Monitor open source licenses—this information helps determine how to use open source components in compliance with legal requirements set by the creators
  • Detect outdated open source components—this information can help you fix or remove components that can potentially impair the quality and security of your software

Learn more in these detailed guides: 


Use a binary repository

Here are key benefits of using binary repositories:

  • Cache local copies of open source code to ensure you use only clean and verified components
  • Avoid getting affected by source code updates or changes in a different copy
  • Effectively manage, approve, and track components are their location

Software composition analysis

Software composition analysis (SCA) is an application security testing tool that helps manage open source components. SCA tools automatically scan your source code to identify open source components, licensing data, and known vulnerabilities.

SCA tools provide visibility into open source components and offer prioritization and automated remediation to help fix vulnerabilities. Here is how it works:

  • Prioritization. The tool automatically prioritizes security vulnerabilities that pose the biggest risk to enable organizations to remediate these issues first. It eliminates the need to sift through many alerts to prioritize vulnerabilities.
  • Remediation. Most tools provide information on the location of the vulnerability and offer suggestions on how the fix may impact your build. Advanced tools offer automated remediation workflows initiated according to vulnerability policies. These policies are triggered according to vulnerability detection and severity, CVSS score, and when new versions are released. It helps keep open source components continuously patched.

Ideally, you should look for SCA tools that seamlessly integrate into your software development life cycle. It helps resolve vulnerabilities during early phases when issues are more easily and cheaply fixed.

Learn more in the detailed guide to Software Composition Analysis (SCA)

Top open source projects

+
+
+
+
+
+
+

Additional guides on key open source topics

Package Managers
Authored by Mend
Updating NPM Packages – The Definitive Guide
NPM vs. Yarn: Which Package Manager Should You Choose?
How To Perform Yarn Upgrades To The Latest Version
Open Source Licenses
Authored by Mend
Open Source Licenses: Trends and Predictions
Open Source Management – the Story of Dave and Mike
Top Open Source Projects To Use For Junior Developers
Software Bill of Materials
Authored by Mend
Open Source Inventory
5 Tips for Using Open Source Components More Wisely
7 Open Source Projects We Love
Open Source Security
Authored by Mend
5 Steps to Get Your Developers to Care More About Security
5 Tips for Using Open Source Components More Wisely
5 Ways to Speed Up Your Software Development Process
Open Source Audit
Open Source Vulnerabilities
Authored by Mend
Critical MySQL Database Vulnerability Puts Your Data at Risk
Known Open Source Vulnerabilities in Reusable Software Components: a Golden Goose For Hackers
The State of Open Source Vulnerabilities 2021
Software Composition Analysis
Authored by Mend
SAST vs. SCA: 7 Key Differences
Top 7 Questions to Ask When Evaluating a Software Composition Analysis Solution
Key Take-Aways from Gartner’s Technology Insight for Software Composition Analysis Report
Vulnerability Management
Authored by Mend
Software Vulnerability 101
How to Make Your Vulnerability Management Metrics Count
Web Application Security at Every Stage of the SDLC
Vulnerability Remediation
Authored by Mend
Back To Heartbleed. Three Years Later
3 Essential Steps for Vulnerability Remediation Process
Mend Cure: Automated Remediation for Developers
Vulnerability Scanner
Authored by Mend
Advance From Open Source Code Scanner to Software Composition Analysis Solution
About Open Source Vulnerability Scanning & Why You Need It
3 GitHub Security Updates You Should Know
Vulnerability Assessment
Authored by Imperva
Vulnerability Management: Patches & Scanners vs Input Validation
What is CVE and CVSS: Vulnerability Scoring Explained
Define Your Incident Response Lifecycle
Openshift Container Platform
Authored by NetApp
Red Hat OpenShift Architecture: 8 Core Concepts
Kubernetes vs OpenShift: 10 Key Differences
Docker vs OpenShift or Docker Swarm vs OpenShift?
Introduction to Kubernetes
Authored by NetApp
Kubernetes for Developers: Overview, Insights, and Tips
Kubernetes vs Nomad: Understanding the Tradeoffs
Google Kubernetes Engine: Ultimate Quick Start Guide
Kubernetes Architecture
Authored by Run.AI
The Challenges of Scheduling AI Workloads on Kubernetes
Kubeflow Pipelines: The Basics and a Quick Tutorial
What is Container Orchestration?
Slurm
Authored by Run.AI
Slurm vs LSF vs Kubernetes Scheduler: Which is Right for You?
Slurm and Deep Learning
Understanding Slurm GPU Management