IT leaders more likely to select vendor who contributes to open source community - Red Hat
Some 82% of Asia Pacific IT leaders are more likely to select a vendor who contributes to the open source community, a new report from Red Hat has revealed.
The fourth annual State of Enterprise Open Source Report explores how and where organisations are using enterprise open source, the impact of COVID-19, perceptions on the security of enterprise open source, and benefits of using enterprise open source.
The report found 89% of IT leaders said enterprise open source is at least as secure as proprietary software, while 55% of respondents said security is a benefit of enterprise open source because their teams "can use well-tested open source code for our in-house applications."
Gordon Haff, technology evangelist at Red Hat, said the report revealed a few surprised.
"We survey a broad panel of IT decision makers about the state of enterprise open source every year. We also have many thousands of conversations with customers, prospects, analysts, and industry peers. So it takes a lot to surprise us. Yet, every year that we run this survey there are usually one or two results that we didn’t really expect," he says.
Upstream contributions matter
"Last year, when we decided to ask a new question about whether people cared if their enterprise open source vendor contributed to open source, our expectations were modest," says Haff.
"Over the years, we’ve often found customers mostly interested in enterprise open source as a source of less expensive software in a good-enough product.
"To be sure, sentiments have shifted over time with attributes such as better quality, security, and access to innovation increasingly eclipsing lower cost of ownership as a primary benefit of enterprise open source software," he says.
"But we were still surprised when 82% said that they were at least somewhat more likely to select a vendor who contributes."
The report found the same percentage this year were more likely to purchase from contributors.
"But we also dug deeper into the "why" this year and we were at least somewhat surprised again. While we weren’t sure what the responses would look like, we’d probably have gone with choices that aligned most closely with benefits that had the straightest line between contribution and vendor participation—for example, influencing the development of needed features," Haff says.
Mature understanding of the open source development model
However, while choices like these were frequently selected on the survey, others were too. And a number of those other reasons to pick contributing vendors, such as familiarity with open source processes and helping to sustain healthy open source communities, suggest a more sophisticated understanding of the open source development model than Red Hatt were expecting.
"To be most effective, this model assumes that some of the value obtained from using open source projects to build products flows back into open source communities as a sort of virtuous cycle," Haff says.
"That IT decision makers answered the "why" in the way they did says to us that many buyers don’t view enterprise open source products in the same light as proprietary products."
Rather it’s the product of a different, and often better, development process. And likely also at least contributed to why this year’s survey also saw enterprise open source continue to gain at the expense of proprietary software.
Security as a benefit of enterprise open source
"We’ve also seen the ascendance of security as an important enterprise open source benefit," says Haff.
"This year, 89% of IT leaders said enterprise open source is at least as secure as proprietary software. This is a big change from not all that long ago. It used to be that quite a few potential buyers figured that being able to see the source code inherently decreased code security in the same manner as being able to see the schematics of a physical security system."
The improved perceptions of enterprise open source security are something that Red Hatt have been tracking in surveys, focus groups, and in customer conversations for a number of years. So the continued high opinion of enterprise open source security this year didn’t come as a surprise, Haff says.
What was less obvious were the reasons why respondents thought enterprise open source is such a benefit with respect to security.
"The obvious historical answer to this question would have been that there are many eyes on the code. The problem with this answer has always been that there sometimes aren’t many eyes and what eyes there are may not be skilled ones backed by rigorous processes," says Haff.
"In a way, this is the counterpoint to the "but the bad guys can see the source code" argument against open source being adequately secure.
"It’s a naive dichotomy that once defined the mostly surface level open source security debate. We perhaps assumed it was still in force more than it apparently is—at least among the IT leaders at mostly larger firms who we surveyed," he says.
But "many eyes" is now a ways down the list of reasons of why security is a benefit of enterprise open source. Respondents also indicated the ability to audit the code themselves was even less important.
Instead, 55% said the top reason is that their teams "can use well-tested open source code for our in-house applications." Furthermore, in spite of the attention that software supply chain security is starting to receive, IT leaders still say that the ability to use enterprise open source internally—as most companies doing application development do—is still a big net benefit.
Haff says other leading reasons are similar to what you’d probably see with any enterprise software: Promptly-delivered, well-documented, and scannable security patches for example.
"Our takeaway from these surprising (but maybe they shouldn’t be) results? Enterprise open source is increasingly seen as having many of the same positive attributes as proprietary software while also delivering on the benefits that come from the flexibility of open source licensing and the open source development model."