Continuing the theme from the previous post, here are some non-price based reasons why a user might prefer open source:
Ability to audit quality and security
Earlier in my career I was a developer of a popular industrial automation software product. A customer, Royal Dutch Shell used the product to control refineries, chemical plants, and pipelines. As a custom negotiated term of purchase, they had the right to audit source code and development processes. They conducted periodic unannounced visits by auditors. Audits would involve examination of source code, QA, and release engineering records, along with interviews of personnel.
In certain high risk businesses, audits are viewed as critical. Why? Look at something like the BP Deepwater Horizon oil spill of 2010. As of 2013, settlements, and trust fund payments by BP had cost the company $42.2B.
In some industries, liability risks can be enormous. Even if a supplier, such as a software vendor, is guilty of irresponsible behavior, a higher entity with “deep pockets” will end up as the backstop for liability.
Sure, vendors routinely profess “commitments to quality”, but history is littered with examples of companies that cut corners where they think it won’t be seen. Open source turns on the lights, to reduce the places where cockroaches can breed undetected. Royal Dutch Shell’s behavior is an example of a consumer that elects to “trust but verify”. 1
Don’t assume that the billion dollar liability club is confined to oil companies. It is easy to imagine multi-billion dollar costs associated with software failures in financial or even media companies. Witness the yet to be determined costs associated with Sony data breach.
Open source has an inherent transparency that makes verification and audit easier. For some users, this attribute can be a stronger factor than price in choosing open source.
The Snowden classified document releases focused media attention on efforts by nation states to inject “back doors” into commercial software.2 Whether these back doors are common, or not, the fear alone has led to distrust of software supplied across political borders.
If EMC is ever to be successful at selling software based products in China, or Huawei in the United States, open source might be the only way it will ever happen. 3
- Yes, as in this example, if you are a big customer, you might be able to negotiate audit rights in proprietary software. Open source avoids this added friction in the acquisition process. Also, in theory, open source draws review from many eyes, not just your own. The OpenSSL track record points out that the number of users that actually invest in auditing open source projects is likely small. Open source gives you the right, and ability, to audit, but you should never assume that others are performing an audit on your behalf. ↩
- link: NSA back doors in routers. ↩
- For hardware based products this probably requires open source to go all the way down into firmware, held on verifiable SD memory cards – along with locally based assembly and component sourcing. ↩