Skip to content

Security moves from blocker to driver of open source adoption

Commentary: Companies used to look to open source to lower costs. That’s still true, but an even bigger driver is security, according to a new developer survey.


Image: iStock/natasaadzic

Companies have long turned to open source to save money. Surveys over the years have captured customer intent to lower costs through open source; analyst firms have called it out, too. Similar surveys and/or analyses historically identified common inhibitors to adoption, including support and security. 

And yet, attitudes toward open source have almost completely changed over the past decade. Well, except that organizations still expect to save money by using open source. But the biggest change of all may well be in the area of security.

SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)

Open source times are a’changin’

This fact struck me while reviewing the results of a developer survey my team commissioned. I knew that attitudes had shifted, with more emphasis on open source to foster business agility and less on things like “lock-in,” but I hadn’t realized just how markedly the market had moved (Figure A).

Figure A


Image: AWS/Matt Asay

As mentioned, cost remains a driver for open source adoption, but the number one driver of open source today was the number one inhibitor of open source adoption 10 years ago: Security. 

This, despite things like Heartbleed and other well-publicized open source security breaches. This, despite a record number of open source vulnerabilities being reported. This, despite open source embedded in nearly all software that we use with uncertain provenance or sustainability of some of those components (leading to the rise of Tidelift and others like them). And this, despite open source developers acknowledging they don’t want to invest time to secure their code.

But maybe, just maybe, it’s because we’ve gotten smarter about software and security, generally. 

More about cybersecurity

Early on, people criticized open source security because, well, it’s open. Surely if hackers can spot problems in code, they can exploit it. Proprietary vendors piled on, touting security through obscurity. Meanwhile, open source proponents went to the opposite extreme, arguing that open source is more secure by default because “given enough eyeballs, all bugs are shallow.” The problem, of course, is that it’s simply not the case that there are lots of “eyeballs” inspecting open source code to make sure it’s secure.

So neither side was particularly correct. But one thing that has become apparent over time is that while open source software isn’t inherently more (or less) secure, rather it offers an inherently better process for securing code. Bugs in open source code, when uncovered, are quickly fixed through an open process. Unfortunately, that same process doesn’t guarantee that users will apply the fixes to their code.

Somewhere along the line as an industry we realized that security is a process, not something that can somehow be engineered into code. Once that shift happened, it was just a matter of time before we realized that open source was the best way to deliver such a process. So enjoy that lower-cost, higher-innovation open source software…and get better security for free.

Disclosure: I work for AWS, but the views expressed herein are mine.

Also see