Black Duck Blog

Bill McQuaide
Executive Vice President of Products and Services
bmcquaide@blackducksoftware.com
Open Source as a Silver Bullet: Defying Traditional Dev Tradeoffs between cost, schedule and features.

Application Development managers spend their careers wrestling with what many believe are the inevitable tradeoffs between cost, schedule and features. Listen closely to the regular development staff meetings and you’ll hear things like: “I can deliver on schedule but need to drop some functionality to make it” or “we’ll deliver the desired functionality but we can’t make the schedule, or we will make the schedule but we’ll be over budget because we’re using more people than planned.” To some, managing these three essential tradeoffs is an art, to many it’s a science, regardless successful companies invest a lot in making it work. Over the past few years, it looks like a silver bullet is emerging that doesn’t force the traditional tradeoffs….

One of the highlights of the LinuxCon2010 conference was Jeff Hammond’s presentation on open source adoption in the enterprise. Jeff, a former IBM Rational product manager and long time devotee of developers, was talking about the his latest survey data showing that open source in the enterprise had arrived, “crossed the chasm” and was being widely adopted. As part of the reason why, Jeff explained that open source delivered value to dev teams that hit on all three elements of cost, schedule, and features, what he called the “software ‘iron triangle’”, and did so simultaneously, making open source a “silver bullet.”

Jeff Hammond, Forrrester Research LinuxCon 2010

It seems to defy the laws of physics at some level, but let’s look at an example. Using open source components in a web application, dev teams can employ an authentication framework or a database ORM to replace internal code, which saves coding resources. It also shortens the project schedule and can increase the feature set delivered since the dev team can shift time and effort from developing commodity code to adding differentiating features most highly valued by customers.

There’s a lot of research lately showing that open source is changing how Enterprises develop software. Reinforcing much of what Jeff Hammond presented at LinuxCon 2010 is a recent Accenture survey that said open source is changing the business operates its IT function. If open source can relieve some of the traditional tradeoff around the “software iron triangle,” it sure seems like IT would be embracing it.

We see that happening at many of our customer’s shops, what’s it like in your shop?

Peter Vescuso
Executive Vice President of Marketing and Business Development
pvescuso@blackducksoftware.com
I recently had the opportunity to hear Stephen O’Grady, industry analyst at RedMonk, talk to a group of us at Black Duck about where open source is going. Stephen started his talk with a provocative question: “Is open source over?”

One might wonder why first question is even being asked. The answer is there are few large, commercially successful OSS companies (like Red Hat). Many OSS advocates hope for more successful commercial companies to ensure its continued success and innovation. Stephen referenced a recent article called “Open Source Needs To Have An Unfair Advantage to Succeed” written by the CEO of cloud start-up Eucalyptus, Marten Mickos. In it Mickos said that “for an open source company to become commercially successful, it needs to have an unfair advantage against its competition.” Mickos advocates for continued experimentation with OSS business models, including “open core” as a strategy for continued innovation.

Another reason some are asking if “open source is over” is that by one metric, Google search volumes, some pretty important OSS projects appear to be declining. Stephen had data going back to 2004 showing the search volume of each of the components of the LAMP stack has declined by more than 50% (Refer to Apache Chart below).  Gadzooks, is open source over?!!

According to O’Grady, not only is open source not over, it hasn’t begun to sratch the surface of its potential. Search volume trends for the rising stars of open source– “android,” “linux cloud,”and “nosql” – have more than doubled in the last few years and are on a steady increase with no sign of slowing down. While Stephen didn’t say it explicitly, the reason for the decline in search volume of the LAMP components appears to be “maturity,” widespread awareness and adoption! People don’t need to search for “Microsoft;” they just know where to find it. And the same is becoming the case for LAMP components.

Stephen has a valuable perspective on open source directions and trends. In a recent blog posting entitled, “Frictionless Computing: What it Means for Infrastructure,” he argues that in addition to the increased availability of applications via marketplaces (Apple’s iTunes, Ubuntu’s Software Center, Android Market, etc.), the availability of code and data contribute significantly to frictionless (easier) computing. Black Duck contributes to the community and to making computing easier with our Koders.com code search website. It has over 3 billion lines of code and is used by tens of thousands of developers a day. There’s little doubt in our mind that Stephen is right: computing is getting easier, open source is not over, it’s just beginning. What do you think?

Peter Vescuso
Executive Vice President of Marketing and Business Development
pvescuso@blackducksoftware.com
It’s great to see a series of white papers from LF and Ibrahim Haddad on license compliance.

Too often people think talking about license compliance is unnecessary or worse fear-mongering, but it’s really about taking a pragmatic approach to ensuring development with open source software is successful from the start by ensuring you do the right thing – honor the intention of the original developers by respecting their license choices. It is a multi-source world where open source is integrated with internal code, commercial and outsourced code, so license compliance is incredibly important. Nevertheless ensuring compliance is not necessarily a developer’s expertise. At Black Duck we strive to make this as simple and transparent as possible by offering tools to automate compliance so it is “designed in” from the beginning. Making it easy for developers to do the right thing about compliance allows them to focus on their primary job of building apps and simplifies the task of meeting license obligations. We look forward to these papers as a way to educate, and salute the Linux Foundation for taking the initiative to set out the basics of compliance in a thoughtful, neutral and comprehensive way.

Jim Berets
Vice President of Product Management
jberets@blackducksoftware.com
Definitively knowing what encryption is in use lowers security risk

On February 16, Version 2.0 of the CWE/SANS Top 25 Most Dangerous Programming Errors was released. The Top 25, developed collaboratively by more than 30 cyber security organizations, are the most widespread and critical errors that lead to serious software security vulnerabilities and attacks.

“Use of a Broken or Risky Cryptographic Algorithm” (CWE-327) made the list, coming in at #24. Many companies unwittingly and unnecessarily expose themselves to this risk, which could result in the disclosure of sensitive information.

To avoid such a risk, the CWE/SANS report authors recommend the following:
• “Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations.”
• “Periodically ensure that you aren’t using obsolete cryptography.”
• “Automated methods may be useful for recognizing commonly-used [cryptography] libraries or features that have become obsolete.”

For those of you familiar with us, one of the key capabilities in Black Duck Export is scanning for and detecting cryptography in code. While one use of Export is ensuring compliance with government export controls surrounding encryption, a key part of this is to detect which crypto is in use. Using our technology, Black Duck conducted a study of its own revealing encryption algorithms widely embedded in open source software.

The CWE/SANS recommendations do work. On multiple occasions we have heard from Black Duck customers who have discovered, to their surprise, that the encryption algorithms they were actually using was much weaker than they intended.

According to the Ponemon Institute’s most recent U.S. Cost of a Data Breach Study, the cost of data breach incidents to U.S. companies is on the rise. The average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008.

Another good reason to make sure you know your code so that your software development teams and your organization can have the peace of mind to focus on your top business objectives.

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
In a recent Back Duck survey, we found that companies doing software development are using significant amounts of open source software; about 22% of code was identified as originating from an OSS project.

The cost savings from strategic use of open source can free up precious software development resources and compress project schedules. To calculate how much, see the Black Duck ROI calculator.

Many developers and managers have anonymously used this calculator to help with the decision of whether to reuse existing software or write a software component from scratch. The calculator allows one to enter assumptions for different factors that affect this decision. For example, the average value input for the cost of a software developer was $79,000. This value varies by company and region. When companies compute the cost of a developer, they start with salary but add in other costs as well: benefits, overhead such as utilities and administration, and expenses such as dev tools and hardware. These costs typically add a significant uplift on top of salary. When the Linux Foundation published an estimation of the cost of developing Linux, they called this uplift the “wrap rate” and fixed it at 2.4 times salary. This figure originated from a well-known study by David Wheeler. With that in mind, the figure of $79,000 either represents salary only or reflects a lower cost region of the world not the major business centers in Europe and North America.

Additionally, people input 16,000 as the average number of finished lines of code produced by a developer in a year. This number happens to be much different than we would have expected. When you include architecture, design, debugging, QA, compliance and administration, the number of fully, tested, vetted code tends to be much less. The Software Engineering Institute at Carnegie Mellon, estimated this value at about 20 lines of code per day (~4440 per year). Developers may not have been considering these other costs when using the calculator so the 16,000 figure probably reflects just the creation of new code.

With these caveats in mind we can start to look at the compelling economics of using open source. The average size application input was 363K lines of code. At the average level of salary and developer productivity noted above, it requires 22 developer years or $1.8M USD to create a 363 thousand line application from scratch.