open source software: the infrastructure impact

Open Source Software:

The Infrastructure Impact

Sponsored by

Webinar Logistics

• Enable pop-ups within your browser

• Turn on your system’s sound to hear the streaming presentation

• Questions? Submit them to the presenters at anytime on the console

• Technical problems? Click “Help” or submit a question for assistance

Optimize your experience today

Featured PresentersOur knowledgeable speakers today are:

Alan ZeichickPresident & Principal Analyst

Camden Associates

Rod CopeChief Technology Officer

Rogue Wave

Open Source Software:

The Infrastructure

Impact

Alan Zeichick

Principal Analyst

Camden Associates

www.camdenassociates.com

@zeichick

http://www.camdenassociates.com/

We Have an OSS Problem You can’t manage what you don’t know about

You can’t secure…

You can’t patch…

You can’t warrant license compliance…

You can’t support…

You can’t certify…

You can’t improve uptime…

You can’t back up data…

You can’t improve performance…

OSS Is Everywhere According to one study of over 1000 companies:

65% leverage OSS to speed application development

55% leverage OSS for production infrastructure

65% contribute to open source projects, mainly in order to fix bugs or add

functionality to a project

67% actively encourage developers to engage in and contribute to open source

projects

47% have no formal process in place to track open source code

33% have no process for identifying, tracking or remediating known open

source vulnerabilities

Why Use OSS? Rarely is it about inspecting the source code!

With enterprise IT

You can see exactly what it is

You can interface with the community

Easier to customize

Freedom from vendor lock-in

Better auditability

In theory, better quality, security

In theory, better standards compliance

Multiple support options

Easier to try it out

In theory, more input into product road map

Oh, and maybe lower cost (i.e., licensing)

Balance Against… There is exploding complexity

The more OSS you have, the more complex the combination

There can be real security concerns

You can’t afford production outages

Or near-outages when software slows to a crawl

Much OSS is poorly supported, if at all

There aren’t always good training programs

Far too often, you are on your own

Unless a guru takes pity on you

That all means enterprise risk

OSS: More Than Linux! Popular open source platforms include:

Linux • Git • MySQL • Node.js • Docker • Hadoop • Elastisearch • Spark • MongoDB • Selenium • NPM • Redis • Tomcat • Jenkins • Vagrant • Postgres • Gradle • NGINX • Ansible • Kafka • Gitlab • Hbase • Chef • Tensorflow • Cassandra • Android • Eclipse • Spam Assassin • ClamAV • Lucene • Map/Reduce • Pig • WordPress • Chromium • Firefox • Cloud Foundry • CloudStack • Kubernetes • CouchDB • Mojito • Mono • Zend • webERP • Many more!

OSS categories are all over the place: Operating systems • big data • data analytics • databases • search engines • software

development tools • code libraries and SDKs • code repositories • IT operations • virtualization • accounting • containers • security • artificial intelligence • CAD and drawing • word processor • spreadsheet • mail client • graphics tools • blogging • so much more

Can you name all the OSS you have in production/deployment?

Biting You in the Butt License management

Security

Patch management

Maximizing uptime

Maximizing performance

Supporting the OSS

License Management There are many open source licenses

Some of those licenses have specific terms

This includes giving changes back to the community

Or that projects incorporating OSS code must be open sourced

Some are free for personal use, not commercial

Those licenses are true legal documents

Those licenses may cover derivative use

Like included components, SDKs or APIs

If you are acquired or audited, you need to know

What OSS you have

Which licenses you have

Are you fully in compliance with license terms?

Security and OSS In theory “many eyes make bugs shallower”

Bugs mean security vulnerabilities!

Not all OSS projects have many eyes

Not all OSS uses modern dev processes

Testing is not always up to commercial standards

Bad actors can study OSS for zero-day flaws Bad actors can fork, mislead, and/or insert flaws

Developers may not respond quickly to vuln reports Particularly a problem with forks

Very little awareness on forks or customized versions Security info sources are often general

Patch Management Updates are not always well-distributed

Groups may not respond quickly to vuln reports

Admins might miss reports of flaws, updates

Auto-update functions can be poorly implemented

It can be up to you to ensure that all OSS is at proper patch level

Challenging when dealing with programmatic components, like SDKs, APIs

Also on OSS installed on servers or embedded

And what about virtual machine instances? Templates?

Maximizing Uptime Plan configurations and changes carefully

Many OSS packages are brittle if misconfigured

Use lifecycle management tools

Use monitoring tools – use community guidance

Avoid beta releases

Train your employees on the OSS

Stay up to date on updates, patches and security

Be aware that each OSS may have its own stack

Software versions, dependencies, etc. – huge complexity

Carefully monitor hardware requirements, software dependencies

Retire older OSS

Maximizing Performance More memory, more CPU, more storage!

Not all OSS is tested for low storage, low memory, high CPU utilization

Clean out log files periodically

Make sure the code is properly compiled

Use agents on physical, virtual machines

Avoid beta releases

Use good monitoring tools

Understand the baseline so you can see if it degrades

Consider using containers to isolate packages

Optimize file systems

Monitor community forums

Supporting Your OSS Many models to choose from:

Use community resources

Train your own staff

Hire consultants

Some combination thereof

OSS is almost always “as-is” with no warranty

“Single throat to choke”

That’s why so many people use Microsoft!

You can’t choke a community’s throat

You can’t call them at 2am on a Sunday

And you certainly can’t sue them

So who you gonna call? Not Ghostbusters!

Get Professional Help If well supported, OSS is huge!

Can lower TCO

Can improve business agility

If not, OSS is a disaster!

Systems will fail

Data can be lost

The business will suffer

To mitigate risk – get help with your OSS

Thank you!Alan Zeichick

Principal Analyst

Camden Associates

www.camdenassociates.com

@zeichick

http://www.camdenassociates.com/

1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1

Open Source Software:The Infrastructure Impact

Rod CopeCTO, Rogue Wave Software@RodCope


OSS in production


What it means to you

Open-source software is used within mission-critical IT workloads

by over 90% of the IT organizations worldwide,

whether they are aware of it or not.1

90%

…|

80%

Developers have deployed OSS in their apps in the past 12

months 2

Through 2020, the percentage of open source within IT portfolios relative to

either homegrown or licensed third-party solutions will grow by 30% compound

annual growth rate (CAGR).3

30%

52%

Of custom apps are built in 3 months or less 4

Average age of an [enterprise] app 5

20 yrs

1, 3: Gartner: What Every CIO Must Know About Open-Source Software March 20172: Forrester 2016 projections for AD&D March 20164: CIO How long to build a custom app? Feb 20165: SiliconAngle Oracle CEO 2025 industry predictions Oct 2015


Key OSS technologies in production

• Application servers

• Webservers

• Databases & big data

• Messaging / integration platforms

• Operating systems

• Private cloud stacks


OSS in infrastructure

Pre-OSS Post-OSSApache

Tomcat

Oracle

RHEL

Nginx

Node.js

MongoDB

CentOS

Lighttpd

Ruby on Rails

PostgreSQL

AIX

IIS

WebLogic

Oracle

RHEL

Same stack for many apps

Different stack for most apps

Web server

App server

DB

OS

Jetty

Play

Redis

Solaris

MySQL


OSS in infrastructure

Pre-OSS Post-OSSApache

Tomcat

Oracle

RHEL

Nginx

Node.js

MongoDB

CentOS

Lighttpd

Ruby on Rails

PostgreSQL

AIX

IIS

WebLogic

Oracle

RHEL

Same stack for many apps

Different stack for most apps

Web server

App server

DB

OS

Jetty

Play

Redis

Solaris

CouchDB


Common challenges: OSS in production

• Production outages or severe performance degradation

• Security breaches and vulnerable endpoints

• Lack of security mitigation procedures

• Unclear documentation and/or difficulty attaining OSS-specific knowledge


Cost of problems in production

• Average number of enterprise downtime events per month, costing $1 to $60 million annually 3

• Reduction in conversion resulting from a one second page delay 4

• Issues stemmed from improper configuration and/or problems within the environment 2

• Devs spend between 10 to 25% of time debugging errors discovered in Production1

5

1 ClusterHQ DevOps Testing Survey Nov 20162 Rogue Wave Software OSS Support Report Feb 20173 IHS Markit Survey Jan 20164 Akamai research 2015

80%

7%

43%


Common OSS License Terms

MX4J 1.0


Gartner – What Every CIO Must Know About Open-Source SoftwareMarch 2017

Tackle open source (either commercially supported or self-supported) as inevitable investments that by being properly managed, will yield considerable total cost of ownership (TCO) and "business value" benefits. When unmanaged (or undermanaged), these same OSS technologies will instead introduce considerable technical, security and legal risks to the enterprise.


“Always on” with the right risk mitigation

• Cost of ownership assumed when managing/maintaining open source software in production

• Risk of running software without warranty is significant

• Benefit from the competitive edge gained by adopting OSS solutions by mitigating that risk

• Create and execute a strategic plan for supporting this software which you do not own and did not write


Open source support options


Choosing OSS support options• As OSS use grows, so will the number of support decisions to be made

• Best practices– Require a support plan for OSS

– Develop guidelines on type of support required depending on:

• Organizational skill

• OSS component characteristics

• Application characteristics

– Require that all OSS components are maintained (bug and vulnerability patches)

– Maximize productivity and efficiency: Integrate these aspects into OSS Management Policy and Processes


Types of supportA range of options exists for supporting open source software

Community support

Commercial support Mixed approaches

Self support


Understanding your risk profile

Your Criticalapplication

Technical risk License compliance Security Asset management

Skillset / expertise

App 1

App 2

App 3


Next step

Develop your profile with a complimentary

OSS risk profile consultation

Sign up to speak with an OSS expert bywriting “YES” in the Q&A box.

Questions?Submit questions to the presenters via the on-screen text box

Alan ZeichickPresident & Principal Analyst

Camden Associates

Rod CopeChief Technology Officer

Rogue Wave

Thank you for attending

• http://www.informationweek.com/events

• 7 Questions to Select, Deploy, and Maintain Open Source Software Effectively

• 2017 Open Source Support Report

• OpenUpdate for OpenSource

Please visit our sponsor and any of the resources below:

http://www.informationweek.com/events

https://www.roguewave.com/getattachment/d6f48224-21d0-4624-beab-785e3e469442/7-questions-select-deploy-maintain-open-source?sitename=RogueWave

http://www.roguewave.com/getmedia/2282b1ca-50a7-472f-a881-43fef139f56e/roguewave-open-source-support-report2017-vf4-digital.pdf

http://resources.roguewave.com/OpenUpdate-Free.html