SafeThere is no shortage of topics in the IT world that generate a lively conversation and heated discourse. Some of those topics include password requirements, maintaining data in-house versus storing it in the cloud, trusted versus untrusted scanning procedures, penetration testing versus vulnerability scan testing, Star Trek or Star Wars, etc. The possibilities are endless.

Here is another topic that flares binary passions: using open source software versus commercially available tools. Let’s spend a few minutes looking at the benefits and drawbacks of each. But first we have to define our terms so we can all be on the same page.

You have probably heard of Open Source Software (OSS). In a nutshell, OSS is software whose source code is made available to the public, and can be edited, manipulated, improved, or changed by the general public. Contrary to popular opinion, open-source does not necessarily mean “free”. Often, OSS is provided to the public without cost, but may request donations for developers to keep the project ongoing.

On the other end of the software spectrum is closed source, or proprietary software. This includes software and hardware where the underlying source code is not made available to the end user. Microsoft and Apple are prime examples. Changes to the software are designed, written and deployed by the singular developing company, not a confederacy of independent developers like OSS.

Each software delivery method has its own benefits and limitations. Proponents say the top reasons for using OSS solutions are (derived from Wikipedia):

  • Lower Cost
  • Security capabilities comparable to COTS software
  • Not locked into a specific vendor
  • Possibly Better Quality tools available than proprietary software
  • Software can be customized to meet your organization’s needs (that is, if you have programmers on staff)

 

The logic behind the OSS movement goes like the: the more sets of eyes available to look at the code of an application, the more likely errors or malicious code will be detected and removed. And there is an incentive to make the processes efficient to minimize the code involved. Often, OSS has been developed so it can be used on almost any platform. Some of the more common OSS tools include the Linux operating system and all of the “flavors” that go along with it, Mozilla tools like the Firefox web browser or Thunderbird email client, OpenOffice and LibreOffice as alternatives to Microsoft Office, and Moffsoft Calculator just to name a few.

For all the benefits of OSS, there are also some drawbacks and risks to consider. Many sets of eyes on a product may be good for quality control, but lacking a cohesive vision for a software tool could result in slow development iterations and failure to introduce new functionality. Or, the project could just “sputter out”. In my experience, the open source tools very often try to imitate Commercial off the Shelf (COTS) products as a free solution, and do not introduce new functionality. Furthermore, OSS can sometimes not be as secure as we hope, like the TrueCrypt debacle from 2014. OpenSSL was supposed to be a secure open source tool but was found to have a significant vulnerability in 2014 (Heartbleed).

The other end of the software spectrum proprietary software, or COTS software. In our experience this is, by far, the most common solution for businesses. As we mention above, this includes Microsoft and Apple, Intuit (Quickbooks, TurboTax), and most of the common software packages you buy off the shelf. At a high level, the benefits include:

  • More specific legal protections through licensing
  • Possible recourse if the vendor fails to deliver agreed to services
  • Predictability in version updates, software fixes
  • If working with a public company, the ability to review financial and company information
  • The ability to network with other companies and learn from their experiences
  • System documentation that stays reasonably up to date
Learn More about our Risk Advisory Services

Of course the benefits of COTS come at a price. Software must be purchased, installed, and maintained. Managing licenses can become cumbersome; if licensing is not handled correctly your organization could face significant fines. Many COTS developers are moving their pricing models to subscription type services rather than capital purchases with incremental updates.

So, benefits and risks exist for both OSS and COTS solutions. We suspect that the deTECH readers lean heavily toward COTS products. But small, low budget organizations may find the benefits of OSS solutions meet their needs without compromising on security or maintenance. We would love to hear your perspective on Open Source versus Commercial Off the Shelf. Take our quick survey (we’ll publish the results next time) or Email us at RAS@yhbcpa.com with your thoughts and opinions


Bryan NewlinBryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.

Learn More about Bryan