Is open source software right for your organisation? Here's how to realistically compare commercial software to open source software and make the right decision based on requirements and risk.
Why consider open source? Who can resist a way to reduce costs while finding ways to address business needs? Low to no-cost options are more important than ever. Some organisations have strict policies against such software, but if you can provide valid data to prove open source provides similar functionality to commercial, off-the-shelf software, you may be able to provide some real value to your organisation.
Some of the hot issues to address include trademark, copyright and patent information, and warranties and liabilities defined in these warranties. Typically, warranties and liabilities are a huge key in identifying risks with this type of software because the creator is not liable. Who is? More than likely, you will take the software at face value and if anything goes wrong you accept that risk. Period. But again, if you have done your due diligence, you will be making smart choices about whether the risk is worth it or not.
Before you even consider any type of open source, you need to get some key players on board. If you can't get your legal, procurement and risk management groups behind you, you might as well not even start. One way to do this is to provide them with the facts about the risk involved. Hopefully, this article will give you the tools to do just that.
Choosing your definition
As you tread into the murky waters of open source, make sure you have a good sense of the type of software you are working with because there are numerous versions and you need to make sure those doing the evaluation understand what they are looking at. This in itself is a challenge because there are numerous options. From Open Source to Academic to GNU to shareware to public domain, take your pick. In addition, you need to ensure that you either make guidelines or rules to cover all the categories or, if that's not appropriate, then perhaps tailor the guidelines to the specific types of software you are looking at.
For example, you might use different criteria when it comes to selecting desktop freeware (a PDF writer or security utility, for example) versus enterprise software such as Open Office.
Some possible guidelines to help vet freeware:
1. Check with the security group to see if the product meets their needs and has already been vetted. They will keep a central repository of tools that have already sustained the vetting process.
2. Read the End-User Licensing Agreement (EULA) for validity of use. Key things to look for:
a. Redistribution specifics
b. Copyright restrictions
c. Other requirements for use
3. You also need to review the software for:
a. Support options (is this community based or can a support contract be purchased?)
b. Patch/update policy
c. Documentation (is it available in case you or your users have questions?)
d. Peer feedback (what does the Internet say about use of the tool?).
4. If there are no issues that prevent proceeding, then get the security group to do a malicious code review. To get that ball rolling provide:
a. Name of product
c. Attestation the EULA has been reviewed and the terms and conditions are acceptable.
d. The results of the research from step 3 above.
5. If the product passes the review, the product will be added to the list and certification notice sent to the staff. If it does not, a notice of denial will be sent to the staff.