It’s hard to argue against the methods that Fortify recommends open source communities adopt. Patrick Lightbody explained some similar solutions in his article here on ebizQ in September 2007. We will talk about them as well in our August 20, 2008 OSS Roundtable, with Jim Zemlin of the Linux Foundation, Ross Altman of Sun, and Dominic Sartorio of the Open Solutions Alliance.

But the survey paints OSS with an awful broad brush based on a few projects out of tens of thousands. Thinking of Jim, Ross and Dominic led me to ask myself (and Fortify—answer to follow if provided) why the projects tested were picked and why some of the more popular projects—embodied in the term, the LAMP stack—were not. The Fortify document says the reason is that the projects selected were implemented in Java and Java is the most popular enterprise-level development language.

So maybe this is really a study about Java security issues. But JavaOne happened in June. Like I said, Fortify has a good PR agency.

On June 13, I posted on the panel at the Enterprise 2.0 conference that talked about the influence of open source software on social computing and all the other aspects of Web 2.0 that are permeating the enterprise. One of the panelists at that conference was Bob Bickel and we are happy to welcome him today to tell us about the trend of open source in Enterprise 2.0 and his new company Ringside Networks.

Bob is one of the co-founders of Ringside Networks and sits on the Board. He helps with setting company strategy, sharing the vision of the future of social networking with others and getting market feedback to help set the proper direction for the company.

He was an important part of the technology and business strategy and implementation at Bluestone Software, later acquired by HP, and JBoss, later acquired by Red Hat. Bob has helped advise a number of small technology companies and currently sits on the Boards of Hyperic and Metaverse.

Bob's blog can be found at: http://bobbickel.blogspot.com/

As of this week’s Red Hat Summit, Red Hat is all over this cloud computing/SaaS trend. And the attached podcast gives you a quick overview. More details will follow over the coming weeks.

Red Hat announced the beta availability of its JBoss Enterprise Application Platform as a solution within the Amazon Elastic Compute Cloud (Amazon EC2).

It also released all kinds of technology to help users build their own cloud including MRG high-performance messaging features we wrote about back in late 2007. This is a Red Hat implementation of the Advanced Message Queing Protocol with a lot of other bells and whistles.

Red Hat released Systems Management features and Virtual Infrastructure Management. The core systems management additions involve Red Hat open sourcing its own Satellite code base into a project called Spacewalk. So now spacewalk is to systems management as Fedora is to operating software as JBoss is to middleware. Multi-system management is critical for production deployment of virtualized systems.

There is the new Red Hat Security Infrastructure. Which leads to a fourth cloud-computing related initiative. Red Hat has announced the www.freeIPA.org project to advance and deliver integrated security technologies such that virtualization can be used ubiquitously across the enterprise. In a related move, it has acquired the company called Identyx. Its technology lets a Red Hat server get a unified view of systems resources including Windows Active Directory resources.

Of course, Red Hat is not only talking about cloud computing. Users can simply virtualize their data centers as part of refresh or simply run their data centers the old fashioned way. For those that “only want to virtualize,” Red Hat is now offering an Embedded Linux Hypervisor — a lightweight, embeddable hypervisor for hosting virtualized Red Hat Enterprise Linux and Windows environments.

It was a good panel covering many of the points made in the links noted above. One of the most revealing discussions that came out of the Q&A with attendees was new however. The problem is that many IT and executive managers at companies will not allow code developed in-house with open source to be released to the community. Under all open source terms and conditions (Ts&Cs) of which I am aware, there is no requirement to make such code available; the key relevant condition is that if you do distribute it, you have to distribute the source.

I interpreted the panel’s response to the attendees as follows: you have to convince your management that most code is a commodity. Everyone is reinventing the wheel, especially companies within industries. As John Eckman of Optaros expressed it, “(Going open source) is collaborative engineering vs. isolated engineering.” Tell the boss: if it’s not demonstrably something of competitive advantage, let it go. Apparently, men of my seniority (in all senses of the word—see my photo) are a big part of the problem. One panelist said essentially “be patient; they’ll soon all retire.”

Speaking of putting software into the open source community, Microsoft did just that at the show. It released a new Sharepoint-based podcast tool under the Open Source Initiative-approved MS-Public License. Called the PKS the tool lets users create, manage and distribute podcasts and is built on the SharePoint Server and Microsoft Silverlight (which of course are not open sourced from a Ts&Cs perspective although they have large and very active communities).

For this podcast we are joined by Adam Lieber, CEO of Webtide. Webtide is one of the companies we talked about when we met with Winston Damarillo, wearer of many open source software (OSS) hats, for a podcast back in February.

Talking with Adam will let us dig deeper into some of the issues in the open source middleware market. For example, Webtide reports that the latest server analysis figures from Netcraft show that the popularity of the Jetty web server continues to grow. Webtide is the services company behind the Jetty project on Codehaus.

And back in May Webtide also announced that is has brought that Java web server to the Morph Application Platform.

Prior to joining Webtide, Adam was a co-founder of Gluecode Software along with Winston. Adam served as Gluecode's representative on OASIS. After Gluecode's acquisition by IBM in May 2005, Adam ran worldwide sales for open source middleware for IBM before joining Webtide in June 2007. Prior to Gluecode, Adam was at the IT-focused venture capital fund Mission Ventures.

For this podcast we are joined by Amit Pandey, CEO of Terracotta. it has an interesting new way of looking at middleware because Terracotta's idea is to move clustering and caching services to the JVM instead of the application. Think of it as virtualized middleware.

Terracotta is also an example of a company that adopted the open source development model after it was formed. Amit is going to talk to us about that change to open source software (OSS) as well as his just released new version.

Prior to joining Terracotta, Amit was vice president and general manager of the Data Management Business Unit at Network Appliance. Earlier, Pandey was vice president and general manager of Network Appliance's Content Delivery Business Unit. Before Network Appliance, he served as a senior manager for McKinsey & Company, focusing on technology strategy and operations effectiveness with Fortune 500 companies.

Here is a notice I received from one of executives PR agents (or perhaps it’s from cio.com’s agent):

“The CIO.com Open Source Blogathon is a week long executive event that addresses key questions in the adoption of open source software. Each day executives will blog in response to one key topic area and your participation is welcomed. Here is a chance to twist the ear of some of your favorite open source executives ...

There will be a different topic each day. It seems to work like this: a cio.com editor posts on the day’s subject and the experts comment on it. And so can you.

It’s really an amalgamation/syndication service since I believe all of the participants blog at their own sites individually. Some of the companies represented include WaveMaker, SpringSource, IBM, SugarCRM, Funambol, MySQL/Sun, Enterprise DB, JasperSoft, Novell, Navica, SourceFire, and Nessus. Other participants will include Dominic Sartorio, President, Open Solutions Alliance, John Ferriolo, Chair, OpenAjax Alliance, Matt Aslett, OpenSource Analyst & Blogger, 451 Group, and Michael Cote, OpenSource Analyst, Redmonk.

FYI: Dominic will be a panelist at the ebizQ Open Source Software roundtable on August 20.

My caveat to readers about this promotion is that you need to know each expert’s corporate biases. With the exception of Michael Cote, Matt Aslett and to a lesser degree Dominic and John Ferriolo, all have fiduciary corporate responsibilities that may very well conflict with what you need to know on the day’s subject.

In my opinion, given its magazine title, cio.com should have had CIOs doing the blogging. I find the quote by Aaron Groves—a CIO type at Citigroup—speaking at April’s Linux/OSS on Wall St. Conference most revealing. He said his group doesn't use software that is not commercially supported. Whether it is open source or not is not even a question Citigroup asks. Hearing more about such dynamics of the open source movement from the demand side rather than the supply side would be more useful.

Recently we podcast with Mark Radcliffe of DLA Piper and Mark suggested we catch up with Andrew Aitken, Managing Partner of the Olliance Group. The connections is that DLA Piper and Olliance co-sponsor what has become an annual gala for movers and shakers in the open source software (OSS) community called the Open Source Think Tank. This year more than 120 CEOs, CIO/CTOs, VCs, attorneys and representatives of Fortune 100 companies met in February to discuss the state-of-the-industry of commercial open source. They also brainstormed individual-company and collective issues affecting the development and deployment of commercial open source.

In our podcast, Andrew discusses some of the most important findings with us. A report is available at the Think Tank's web site and I believe podcasts are planned. Mark Radcliffe (see our podcast with Mark noted above) also has a section in the Think Tank summary report on legal issues.

Andrew has over 18 years senior management experience building and leading national professional services companies. Prior to founding Olliance in 2001, Andrew held positions as VP of Business Development, Corporate Strategy, and Marketing, with technology services providers such as Renaissance Worldwide and eWork.

He has chaired and spoken internationally at multiple industry and government conferences, is a member of the Open Source Software Institute's Board of Directors, SDForum's Board of Directors and Chair of their annual Open Source Conference, and is on the Board of Advisors of SugarCRM, Funambol and Krugle. He has also personally worked with companies such as: IBM, Sun, Intel, Nokia, HP, and others, assisting them with developing their open source strategies.

This month we are looking for open-source software and projects specific to master data management (MDM). I think of it as middleware but you might think of it as an application. Let me know what you think either way.

The article is tentatively scheduled for release in July 2008. It will be similar to recent ebizQ reports on open source event processing software and industry-specific OSS (ebizQ Gold Club membership required but there is no charge to join). Your company’s or project's product(s) may be mentioned based on my secondary research but if you would like to formally participate, please download and return the attached 1-page survey form by Friday June 20, 2008 to dennis@ebizq.net.

Download file

If you do not offer such software but have a partner that uses your OSS product to develop an MDM capability, pass this on (and let me know your partner’s company or project name). The partner can be a systems integrator or other type of services provider. OSS service providers, let me know what you are doing as well although the survey form might not be approrpiate. Just describe your activity in an email to dennis@ebizQ.net. Open source software delivered as a service (SaaS) will also be covered.

Note that as the survey indicates, software products will be covered in the report if they use OSS (e.g., bundle in an OSS application server product such as JBoss) even if they are not “sold” as OSS themselves and no matter how they are monetized.

Maybe this says more than all my “2007 statistics” about the maturity of the OSS movement. Or maybe it’s because Europe is just finishing up a bunch of long weekends and the U.S. is coming up on one.

Whichever, when in doubt, return to first principles, which for me is the concept of open choice being more important than open source. I can philosophize about the difference between the two philosophies again or simply point you to the latest statements of One Laptop Per Child (OLPC) founder Nicholas Negroponte. In announcing that governments will now have their choice between Windows and Linux on the low-cost, low power laptops designed for educational purposes in third world countries, he said it is really about the kids, not the development community. This caused a few anti-open-choice developers of the OLPC educational platform called Sugar (not to be confused with the open source CRM product) to leave the project. But that’s a demonstration of choice as well.

Also, when in doubt about what to write about, look around for a subject you’ve written accurately about before so you can say “I told you so.” Avoid the 100-something posts where you were clueless.

If anyone else has a nominee for a more important open source subject during the week of May 12-19, drop me an email or post a comment.

"For example, consider the impact that open source software license B.S.D. used for Linux is having, or the copyleft (institution) used by Wikipedia, or the creative commons licensing regimes, or.."

My first thought about his mixing up Linux and BSD and copyleft was that maybe if Brown doesn't understand OSS terms and conditions, maybe Gates doesn't either. Maybe Gates quote was truly one of ignorance. My second thought was that rather than comment on the article, I'd ask Brown if he meant to get that detailed. The clarity of great thinkers is that they don't get down in minutia the way analysts like me do, not seeing the forest for the trees, etc. etc.

His answer to my email about whether he was misquoted or whether he was trying to draw some piercing copyleft/copyright distinction was insightful and to the point:

"I happen to believe each serious Open source project tends to have its own constitution/institutional form – sometimes even called a constitution – but in any case each is a miniature institutional innovation.. but on top of that, that CC, BSD, GPL are good examples of institutional innovations. Yes as you well know they are all different with subtle and not so subtle differences. I wasn’t arguing for any one form.. I was simply taking my hat off to the folks that crafted each of these and wanted to call them out as innovations in their own right with the belief that these will shape our future as much as any purely technological innovation.. "

We already know what the open source community thinks about Gates' point of view. Let us know what you think of John Seely Brown's?

As for Gates quote, definitely one last zinger!

Many times in the last year I have written about the Linux Foundation (LF) and last summer we caught up with Jim Zemlin, LF's executive director. In a wide ranging discussion at the time, Jim made the point that the open source software (OSS) movement has almost eliminated a big risk for independent software vendor (ISV) startups in the last few years: losing control of the code underlying whatever the ISV makes. He said he could not think of any Web 2.0 firm that wasn't safely on some OSS stack and therefore working with very low risk of losing the right to use its underlying software. Of course, OSS also lets the ISVs start with a very low cost of entry. Jim also mentioned that he had previously worked at the application service provider, Corio.

Application service provider 10 years ago meant roughly what software as a service (SaaS) means today. Jim's comments about ISVs made me think that he's probably on to one of the major aspects of OSS that we tend to forget. Open source software is also a major enabler of SaaS. As the application world goes SaaS, the eventual users have no strong opinion about the underlying infrastructure as long as service level agreements are met. This is a great boon to OSS suppliers because quality code will rise to the top, unrestrained by massive consumer marketing budgets and other marketing devices that often inhibit product acceptance.

This year we invited Amanda McPherson, the LF’s director of marketing and a popular open source blogger to pick up where Jim left off. Her feelings on the SaaS movement and other aspects of the Linux ecosystem are included in this podcast.

By the way, for the record, the LF is a nonprofit dedicated to accelerating the growth of Linux. It is funded by Google, H-P, IBM, Novell, Red Hat, Intel and others and was formed in January 2007 by a merger of the Open Source Development Labs and the Free Standards Group (not to be confused with the Free Software Foundation).

His perspective is product management, mine is marketing. His findings are similar to opinions I have posted on the need for open source developers to use marketing and market research techniques IF they want to provide software that will be adopted in the marketplace.

The IF is the key word. IF you just want to "scratch an itch," as Paul describes the issues currently ongoing in the Pidgin OSS community, that's OK too. Just let the rest of us know which it is.

But IF you want to "take it to market," whatever that means to you, you not only need the kind of marketing and market research I describe but the related product management Paul describes. And if you expect venture funding, the VCs will insist on it.

In a March 2008 feature article here on the ebizQ site, a representative of GroundWork Open Source Inc. wrote about “Merging Open Source and Proprietary Systems Management.” Implicit in that subject is the merger of all the software being managed in some way shape or form. So we asked Thomas Stocking, GroundWork Co-Founder and Senior Technical Staff Member to join us to discuss how a commercial open source company like his works with other open source software (OSS) projects and companies, including Red Hat, Nagios and Ganglia.

Thomas has more than 15 years of development and technical experience in many aspects of IT infrastructure management. Prior to GroundWork he served as Director of Information Security at SiteROCK, a managed service provider (MSP) in the Network Operations services space. Previous to SiteROCK he was founder and CEO of InSync Communications, founded with the goal of building a better IT services contracting platform.

The riddle, on which the title of the seminar is based, refers to the fact that a Federal Open Source Alliance (FOSA) survey, done in the second half of 2007, found that a third of respondents in the U.S. government thought OSS was very secure but another third was very concerned about its security (including some users that had already implemented OSS).

All of this information is great stuff for any user, U.S. government or not. And I believe it is available as a recording (Warning: probably an .ogg file) at the FOSA website.

Opening
Intel representative Nigel Ballard opened the seminar noting that Intel is one of the top five contributors to Linux. FOSA's original study found over 50% of U.S. federal government agencies are already using OSS. More than half of the respondents say it is or will be beneficial. The major benefit "in the beltway" is the ability to access advanced and multi-tiered security, according to 33% of the respondents. But another third said security was a challenge. This is what they call "the riddle." the title of the seminar

Nigel said everyone should use/write open source code to improve interoperability, one of the challenges U.S. Federal government users say they face.

A case study
A real-live OSS user, Casey Coleman, the CIO of the U.S. General Services Administration (GSA), said the GSA had been using OSS for about 7 years, "organically and at low risk." She said they implmented Linux, Apache, and a KM product at first but since 2005 have begun to use mission critical applications (but not transaction systems; I asked which type of mission-critical applications, if not transaction systems but received no response).

Ms. Coleman provided a great top 10 list of benefits/issues for enterprise IT users to consider

10. TCO-OSS does not mean free (as we have disussed here on this blog many times)
9. Avoiding product lock-in--this is the open choice benefit we have also discussed here often
8. Multiple support models--all the typical support is available and the good news is that vendors are competing on the quality of the service (rather than functionality I guess; so if you need "functionality foobar" and you get it closed or open, try open and let the suppliers compete on service)
7. Procurement--evaluation can be done much more easily without a typical Federal red tape (this same sort of red tape probably applies in many enterprises)
6. Agiliy-allignment with missione (e.g, the GSA now gets support for Linux but not for its KM tool, saving it money)
5. Transparency--OSS is standards based (I don't believe that is totally true but worth considering your enterprise's position on standards)
4. Collaboration--OSS users are not at mercy of the proprietary-code's vendor for improvements; and the user participates in or has insight into the process
3. Control over investments--
2. Open Source Moving up the stack--thanks for the plug; that's the name of my blog
1. Security

Security is a recurring theme of the seminar; it's "the riddle." As mentioned above, a third of survey respondents find OSS secure but a third of respondents are concerned with security issues (even U.S. govvernment OSS implementers cite security as a concern). The good news is that the Intel community, presumably with a major security concern, is a big user of OSS.

Information on Open Source Security
Red Hatter Chris Runge spoke to the fact that there has been an evolution of security biases, such that "in many places, Linux is the preferred platform of choice." For example, NSA came out to the OSS community with security-enhanced Linux for others to use. This is now built into Red Hat Enterprise Linux (RHEL) 5 (and presumalby other Lini, both the webinar was sponsored by Red Hat).

Independent of OSS, he poitned out that there were a lot of government mandates on standards that are hard to work with. Red Hat is working on things like the National Vulnerability database.

The Chicken-Egg Problem
Erik Lillestolen of HP wrapped up describing the chicken-egg situation. Should an agency solve the security problem first and then move to OSS or move to OSS first and solve the security problems with it. The answer is, like investing, it all depends on the agency's tolerance of risk. The same applies to any enterprise vis a vis any feature.

Erik also brought up the license differences in OSS. He suggested the agency have some kind of governance policty as well to control the introductuion of OSS into the environemnt. Also good advice for everyone.

Recommendations include identifiying internal or consulting experts. Erik said this is important because many things are different than what users would be accusomted to in proprietary code (I have not found this to be the case in my research so I am not sure what he is referring to; I asked in the Q&A part of the program but my question was not answered). Other recommendations were to manage alerts (keep good track of updates, patches, etc.) and start small (walk before you run).

Q and A session
Some of the questions and answers included:
Q. Who verifies the OSS? The agency using the OSS is responsible for security validation. I am a little rusty on U.S. "federal EDP rules" but I believe the point is that the vendor of proprietary code is responsible for certifying security.
Q. Different types of OSS? The hosts explained the differences between pure open source (e.g., off Sourceforge) vs. OSS from a company such as Red Hat.
Q. The US Census Bureau recntly had to back away from using hand held devices for the upcoming census. Were any open source components involved in the failed effort? The host were not aware of anything with respect to the handheld devices. Our involvement there has been at the datacenter level.

For more information on the FOSA, see my blog post on November 2, 2007.