The open source dilemma — A new era for enterprise software
99+% of enterprise software utilizes open source technology — typically at minimum hundreds of packages. However, the open-source software ecosystem is facing unprecedented challenges that threaten its very foundation.
It is my belief that we are witnessing an inflection point in a shift back towards closed-source or more commercialized models, particularly in the realm of web-based technologies. Here’s why:
1. Security is at a breaking point
It is becoming increasingly difficult on the consuming side of open source to ensure its security. While this challenge has been growing over time, it is underscored of late by the sophisticated and novel attack on XZ Utils, a popular set of data compression tools used in major Linux distributions. In early 2024, a pseudonymous attacker introduced a backdoor into XZ Utils, leading to significant disruptions, including delaying a release of Ubuntu, the most popular Linux variant in circulation. This exploit was part of a larger social engineering campaign targeting open source maintainers through fake identities and urgent requests for maintainer access. Perhaps most concerning is that by all accounts, fairly extensive security research never identified the backdoor. Rather, it was identified by one individual through pure luck.
When utilizing commercialized technology, the process is primarily designed around trusting both the third party vendor and that vendor’s SDLC. But is it even possible for the open source ecosystem to cohesively rally around the idea of a maintainer model that is more transparent and that allows open source consumers to vet the maintainers the same way they do third party vendors? What about governance over SDLCs? And what about at the magnitude of hundreds or thousands of separate maintainers?
2. Licensing is tenuous
For nearly a decade, there has been a gradual shift in licensing trends from permissive licenses like MIT to more restrictive ones. This trend gained significant momentum around 2018 during Redis’s and MongoDB’s feud with AWS, resulting in those projects adopting licenses that limit commercial exploitation.
More recently, the predominant Infrastructure-as-Code tool, HashiCorp’s Terraform, also changed its license. The community responded with a “hard forked” version named OpenTofu. Shortly thereafter, OpenTufu was soon issued a cease-and-desist by Hashicorp.
Throughout battles like these, all open-source consumers can do is choose between multiple evils and hope for the best. It’s ugly.
3. The funding model is broken
Despite widespread use, funding for open-source projects has not kept pace with their growing volume and importance. Many projects rely on the goodwill of contributors and sporadic donations. The projects not in this boat are often backed by large commercial entities - many of which are eventually tempted to swap licensing models.
Take OpenSSL, which is utilized by virtually every enterprise SaaS vendor in some form to encrypt communications, yet only received substantial funding after the Heartbleed vulnerability in 2014 exposed critical security flaws.
4. The regulatory landscape has shifted
Recent federal mandates on Software Bill of Materials (SBOMs) have placed additional pressures on consumers of open-source software. This means that virtually overnight, enterprise SaaS vendors are being required to provide detailed information on all of the software components in their products, including version numbers. This level of rigor was only previously required for “subprocessors” - typically defined as third-party commercial vendors. Of course, there are much fewer of these in the typical SaaS offering than there are open source packages. Commercial dependencies are much easier to inventory, and more concerning, much easier to govern.
These factors are all, increasingly, contributing to a certain type of paralysis when it comes to the use of open source software in enterprise SaaS products. And as a result, it seems to me that the flexibility and communal spirit that helped make open source the behemoth it is today is becoming a very distant memory.
It is for these reasons that I believe the industry will likely see a pivot back towards more controlled and commercial software consumption. Of course, much like today’s landscape, this will not be an all-or-nothing affair. It will be observable on a spectrum, measured in shifting preferences and percentages. But watch this spectrum closely. There will be big winners, big losers, and a lot of innocent bystanders as a result.