This is the first part of a two-part article. The second part will be published tomorrow.
The future of open source is not Linus Torvalds.
It's Marty Roesch.
In 1998, Roesch, then 28 and an engineer at telecom company GTE-I, created an open-source program called Snort for detecting intrusions into computer networks. Today, he sheepishly acknowledges that he's a multimillionaire, having sold Sourcefire, the company he created to sell add-ons to Snort, for $225 million to security software leader Check Point. (The deal is expected to be finalized before the end of the first quarter 2006.)
Roesch's road to richesusing the Internet to distribute open-source software for free and selling proprietary (closed-source) pieces that enhance the free stuffis emerging as the most popular new business model in the software industry, according to venture capitalists. Call it the mixed-source model. On the surface, it would seem to offer the best of both worlds: CIOs get free software, and the companies developing the code get e-mail addresses from downloaders, so they can try to sell them proprietary add-ons. Venture capitalists love this model because they can invest their money in software that can be sold rather than in big sales staffs or expensive marketing and branding campaigns.
But in the rush to monetize the open-source model, these startups could be on a collision course with the communities that spawned them. When a venture-backed company builds both open-source and proprietary software under the same roof, it invites a showdown between the people contributing the free stuff (the open-source community) and the company looking for competitive advantage from the proprietary stuff. "It's an inherent conflict of interest," says Jo Tango, general partner at Highland Capital Partners, a venture capital company. "Whose additions to the software get approved? And how are those additions prioritised? Is it for the open-source product or the for-profit stuff?"
CIO to go
And that could lead to situations in which CIOs are seduced into using what seems to be free technology only to find they must pay to make it work down the road, says Michael Goulde, senior analyst for Forrester Research. Adds Tango: "This model has been around for years. It's called a trial version."
Proprietary software companies have been giving away trial versions of their software for years. But the code is closed, and the free versions are lesser versions of what you'd get if you paid full price. "That's no different from what these so-called open-source firms are doing with their community [open source] and enterprise [proprietary] editions of their software," says Barry Strasnick, CIO of CitiStreet, a benefits management company.
In other words, the free stuff becomes nothing more than a come-on. Adds Lee Hughes, CIO of Owens Forest Products, "My fear is that if a company has a free open-source version and a commercial version with enhanced features, the free version [may suffer] down the line."
Strasnick and Hughes wouldn't be so concerned if open-source software were still a casual plaything for their developers trying to save money on a few Web servers. But open source has become a vital part of the CIO's software acquisition strategyespecially when it comes to infrastructure software. Research company Gartner predicts that by 2010, Global 2000 IT organisations will see open source as a viable option for 80 percent of their infrastructure software investments. CIOs can't afford to treat open source as a throwaway, and they can't afford to do without support for the open source that becomes a vital component of their infrastructures.
But shopping for open-source software is a very different animal from the traditional software acquisition process. The company you're buying from is a community, the references you're checking when you're doing your due diligence are postings on a bulletin board, and the developers posting them may not even be employed.
Conventional wisdom says you don't want to see how your breakfast sausage is made, but CIOs are going to have to peek into the kitchen before committing themselves to an open-source diet. There are many different business models emerging besides mixed source (see "Your Guide to Open-Source Business Models"), so CIOs will have to cast a careful eye on these companies and communities to predict whether they will still be around in a year or two. This is now critical business research for CIOs. It's every bit as important as tracking Microsoft's or Oracle's stock price, acquisition strategies and upgrade announcements.
The money game
Roesch bristles when you bring up the fears CIOs have about "crippled" open source. He's got a right to be touchy. Eight years ago, he single-handedly developed the core of Snort. Since then, he estimates that he has written 3,000 postings to the Snort discussion list and carefully built a large community of users (more than 2 million downloads and 100,000 active users, he says). In return, he got what every open-source developer craves: respect, recognition and the occasional free beer from grateful users at technology conferences.
Roesch got everything except money. And that was OK. For a while.
"I was never motivated by financial gain," recalls Roesch. "It just ended up that way. People don't develop open source for monetary gain. You develop it for reputational gain."
Roesch could have used his reputation to land a high-paying job at a software company, but he liked working on Snort. So in 2001, he began courting venture capitalists to see if they would back his plans to start a company to support Snort. When he made the rounds, he says, there were no takers. "They wouldn't go near it unless we had some [proprietary] intellectual content wrapped around Snort," Roesch says.
Once he developed some proprietary management tools and a friendly GUI to run on top of Snort, Roesch got his money. And he's never looked back, partly, he argues, because he has no choice. Snort competes against software from well-known, well-funded companies such as Cisco, and "if you're going into a highly competitive area of software, as we did, you have to take venture capital," he says, adding that others have built proprietary tools around Snort. "You're going to have people who are going to try to ride on your coattails," Roesch says.
So far, according to Roesch, no one in the Snort community has held his financial success against him. "I like writing code," says Glenn Mansfield Keeni, a professional developer who contributes to Snort in his spare time. "I derive great satisfaction by contributing towards building a secure Internet. The code remains open source so there is no bitterness or feeling of being let down. If the commercial framework helps Snort take greater strides forward, that's welcome."
But others in the community wanted to guarantee that Snort would remain open. They formed a group in 2003 called Bleeding Snort to provide open-source intrusion-detection rules and definitions for Snort (similar to the virus definition files you download for your antivirus program). It was a prescient move. Sourcefire now makes its updates available to its paying customers first; others have to wait five days. And unlike Bleeding Snort's updates, Sourcefire's are no longer released under an open-source licence. Companies that have built proprietary software on top of Snort (Sourcefire is not the only one) have to pay a fee to Sourcefire to get those updates now. But Bleeding Snort often beats Sourcefire to the punch with new rules, says Alan Shimel, chief strategy officer for StillSecure, a security software company that uses the Snort engine as part of its proprietary software. Shimel obviously has a vested interest in keeping the Snort engine open source, but he says "there were a lot of people in the Snort community who weren't happy when [Roesch] formed Sourcefire. I've spoken to people inside Check Point who say they intend to keep Snort open, but as they say, the road to hell is littered with good intentions."
For its part, Check Point's Web site states that it is "committed to the Snort open-source community, and we look forward to growing the Snort solution and the Snort community in the future."
But the fact is, not all open-source security software has remained open. A software package called Nessus was initially released under an open-source license in 1998, but the latest version (3.0) has been released under a commercial license (earlier versions remain available as open source)though it is still free to users. Nessus's original developer, Renaud Deraison, who, like Roesch, has started a company (Tenable Network Security), says his commercial customers pressured him to close the source. "Many of them had prohibitions against [open-source] software or had to jump through legal hoops to get permission for it," he says. "What they want is quality, free software. The license is less important." Though Nessus's shift has brought criticism from some open-source advocates on discussion websites like Slashdot.org, Nessus usage seems not to be affectedat least not yet.
Meanwhile, CIOs -- who are constitutionally sceptical of vendor promises -- are worried about Check Point's purchase of Snort. "It's definitely a concern," says Kirk Drake, vice president of technology for the National Institutes of Health Federal Credit Union, which uses Snort and Sourcefire's add-ons. "But it's no different from what we've seen before. We buy a good product, and it gets bought by another company and the product can change. And the pricing changes."
According to Roesch, those who see mixed source as a Trojan horse for an inevitable march back to proprietary software are underestimating the power of the open-source community. "Check Point got one of the most tested and deployed code bases in the world, and if they manage it carefully they've got the community too," says Roesch. "I would argue that the goodwill generated by Snort among users and developers probably outweighs the value of [the proprietary software], and I think Check Point believes that as well." In other words, continuing to support an open Snort will cost Check Point less than alienating the community by closing the source.
Part 2 of this article will be published tomorrow.