Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

Weighing the Pros and Cons of Open-Source Software to Support Critical Infrastructure

Developer Community

Fifteen years ago, I had a colleague say to me, “Open-source software is not free; it means access to the source code.”  At the time, we both worked for an open-source software company that sold enterprise features and support for an Apache open-source project. This was my first of many endeavors working in the open-source world, and I quickly learned that it is a mistake to use unsupported open-source software in production.

Now, I am sure some of you are ready to stop reading this blog right now because you use open-source software in production all the time (and many do).  I didn’t say you can’t use it; I said it was a mistake. Hear me out: I am a huge fan of open source, and there are a lot of positive aspects of using it. There are also a lot of negatives, which can cause major issues if you are not prepared. This blog will cover the pros and cons of open-source software to support critical infrastructure, so keep reading.

Let’s start with five key pros:

  1. Licensing and cost: The open-source model is designed to enable companies to deploy and use the software freely as they wish. If desired, a subscription fee can be paid for enterprise features and support.
  2. Access to source code: One of the most frustrating things with proprietary software is getting an enhancement added. You are at the mercy of the vendor. This is not the case with open-source software. Having access to the source code means your developers can add or modify features to suit your business needs.
  3. Scale and performance: Many popular open-source products are exposed to some of the largest workloads and scale demands on the planet. In fact, many open-source products come from large web companies where the product was built to handle large-scale needs.
  4. Community: Open-source software tends to be supported by a community of developers who contribute to the software’s development and improvement. This means that bugs are fixed more quickly, and new features are added faster than with proprietary software (there are caveats as bug fixes/feature requests can be rejected by the community).
  5. Usage: Open-source software is built to run on modern operating systems and hardware, making it easy to deploy and use (you are not going to run Windows 95 as the OS).

Let’s look at the flip side: here are five cons to consider:

  1. Support: Here is one of the biggest downsides. If you plan to run in production, you should have support from a vendor that either owns the open-source project or has the most committers on the project. I have experienced this firsthand as a vendor supporting an open-source product. I was asked to take a call with what I was told was a very panicked person. When I got on the phone, I found out this person had a financial system that was down, and they could not figure out the issue. Their development and operations team realized the issue was related to the open-source software my company supported.As you can imagine, we had no relationship with this company and no support contract. To resolve the situation quickly, we worked out an emergency contract and fixed the issue. I won’t tell you how long the process took (the contract took longer than the bug fix), but I can tell you it was much longer than they wanted. They bought a full support contract after the issue was solved.
  2. Open-source practices: Depending on the open-source product, getting a feature or bug fixed can be challenging. Many products require a voting process that can be arduous and take excessive time. Additionally, many open-source products simply remove features instead of deprecating them, which makes it difficult to upgrade or integrate with newer versions.
  3. Security: Some open-source products don’t have the security rigor of proprietary software. There can be vulnerabilities, and you should use your internal scanning tools before using or deploying any unsupported open-source products.
  4. User Interface: Typically, open-source application teams focus less on the user interface. The term “good enough” is often their motto. It’s likely your application will not rely on the provided user interface but more on the APIs and integration points.
  5. Complexity: Some open-source software can be very complex to deploy and manage. The software is written by very technical people. Remember that to them, it is easy, but you won’t have them on your staff when it comes time to deploy and manage (did I mention a support contract?).

As you weigh these pros and cons, I hope my message is clear: The use of open-source software for critical infrastructure is a good thing if you have a vendor to support it. A good vendor/partner will enable your team with enterprise features (not available in the open-source version), in-depth expertise, and 24x7x365 support when things go wrong. If you choose to go down the self-support path, just be aware that your development team will spend more time supporting the open-source software and not building the products to support your business.

At Keyfactor, we believe in open-source software and a community to support and nourish it. Stop by and visit us at https://www.keyfactor.com/open-source/community/ to learn more about the Keyfactor Community and the products we offer. And if you’re interested, you can join the community to help shape the future.