Skip to main content

Wizards of OSS: Industry perspectives on open source software

Programmer as a wizard
Programmer as a wizard
Image Credit: Jozefmicic via Getty

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Open source software (OSS) is so prevalent that it’s difficult to imagine life without it. For businesses, open source brings scalability, transparency, cost savings, and the power of the crowd.

To get an idea of the pervasiveness of open source software — commercial or otherwise — just consider WordPress. The brand synonymous with content management systems (CMS) spans two broad incarnations — the self-hosted open source version available through WordPress.org and a hosted version called WordPress.com that’s operated by Automattic. Collectively, they now power more than 40% of all websites.

Similarly, just about everyone is familiar with Android, the open source mobile operating system (OS) that claims a global market share of 84%. The lion’s share of this belongs to Google’s flavor of Android, which includes an ecosystem of services and proprietary applications that make Google a lot of money. The core Android Open Source Project (AOSP), however, has been forked several times, perhaps most notably (in the West, at least) by Amazon to create Fire OS, which powers most of its tablets and TV streaming devices. Android is also the most prominent mobile operating system in China, though local handset makers have created their own forks sans Google.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Android is actually based on a modified version of the Linux kernel, arguably one of the biggest success stories to emerge from the open source world. Linux is now used in everything from automobiles to air traffic control and medical devices and is also widely employed in web servers, the most common being Apache.

In fact, the growth of the web over the past 30 years has been fueled in large part by open source software. So what would a world without open source look like?

Hey Presto! A world without open source …

“Everything from operating systems, databases, web servers, programming languages, and developer tools all wouldn’t be possible without open source,” said Martin Traverso, a former Facebook engineer and cocreator of the distributed SQL query engine Presto. “There would likely be fewer developers in the world because not all developers have the luxury of being part of a certain company — there’s a lot of innovation that happens outside of companies like Google, Microsoft, and Facebook.”

In other words, self-taught or indie developers would have less incentive and opportunity to gain a foothold in software development if everything was locked behind a proprietary door.

Traverso joined Facebook in 2012 and alongside two colleagues developed Presto to help analysts and data scientists run faster queries on large amounts of data. Facebook open-sourced Presto a year later, and in 2019 Traverso and his cofounders left Facebook to launch a fork of the original Presto project, called PrestoSQL, as part of the newly formed Presto Software Foundation. In December, PrestoSQL was rebranded as Trino, and the Presto Software Foundation was renamed the Trino Software Foundation.

Above: Hey Presto

In 2019, Traverso also cofounded a company called Starburst Data that targets enterprises with a commercial version of Trino and raised $100 million at a $1.2 billion valuation in January.

For perspective on the impact Presto (the original project) and Trino have had, Amazon’s AWS uses them as part of the company’s Athena interactive query service, and they are also used by Uber, Airbnb, Intel, Twitter, Netflix, Atlassian, and Alibaba. Starburst, meanwhile, claims notable commercial clients like Comcast and Vmware. None of this would have been possible without open source.

“Open source has cultivated a community of innovation that wouldn’t otherwise exist,” Traverso said. “Anything that contains software today depends on open source — your TV, phone, car, and so on. There’s huge leverage across the industry, and without all those open source components, everyone would have to either build them themselves or buy them.”

This helps illustrate what open source software means to businesses of all sizes. It really isn’t just “free software” aimed at cash-strapped startups. Instead, it serves as the fundamental building blocks of most of the technologies we use on a daily basis, something even the major technology companies rely on — and its main benefit can be measured in eyeballs and people power.

“Open source software is constantly improving because it is updated regularly to meet the needs of a diverse group of users, resulting in technology offerings that are more powerful and broadly applicable than just a single company and a single use case,” Traverso said. “While a big company might have the resources to develop these technologies from scratch, it wouldn’t have the same diverse and growing body of contributors continuously iterating and making the technology better.”

Indeed, even a trillion-dollar company wouldn’t be prepared to develop everything from scratch internally, as that would mean going back to square one on programming languages, operating systems, databases, web servers, and more.

“Using open source software allows these companies to dedicate those resources to more business-critical projects,” Traverso added.

Challenges

But despite all the benefits of open source software, it comes with some notable hurdles. These include the lack of proper project documentation to establish whether it’s safe to use a specific piece of software.

“The biggest challenge is determining whether your use of open source is compatible with the security, legal, privacy, and integrity requirements of your business,” Facebook open source product manager Michael Cheng said. “It’s sometimes challenging to determine where open source packages originate. Without knowing who created the software, it may be difficult to determine whether you can or should use it in your business.”

It’s also worth looking at how well supported a project is — after all, many open source developers work entirely on their own dime in their spare time. A recent Synopsys report showed that 91% of codebases contained open source dependencies with zero development activity in the past two years, representing a three percentage point increase on the previous year. This should be a red flag for any company, as it could mean major vulnerabilities.

However, when that technology becomes critical to everyday products, industries and companies often collaborate to support a project that might otherwise have fallen by the wayside. This is why the Linux Foundation set up the The Core Infrastructure Initiative (CII) with backing from tech titans like Google, Amazon, Cisco, Microsoft, Intel, and Facebook. Just a few months ago, Google announced it would start funding developers for Linux kernel, which Android is based on.

If nothing else, the situation highlights some of the challenges businesses face when choosing their open source technology stack. “Companies should be asking themselves if they have the expertise and the resources to build the technology in-house,” Traverso said. “If not, they should look for projects with thriving communities or vendor support.”

Oskari Saarenmaa is cofounder and CEO of Aiven, a Finnish company that manages businesses’ open source data infrastructure on all the major clouds, freeing developers up to focus on building applications.

Aiven provides commercial support, such as security and maintenance, for nine core open source projects, including MySQL, Elasticsearch, Apache Kafka, M3, Redis, InfluxDB, Apache Cassandra, PostgreSQL, and Grafana. The Helsinki-based startup, which raised $100 million at an $800 million valuation back in March, works with such big-name companies as Comcast, Atlassian, and Toyota.

Aiven console

Above: Aiven console

According to Saarenmaa, if a company picks its open source technologies carefully, there are no obvious downsides — but he warned against relying too much on contributions from a narrow community of users. “With open source, there’s no obvious vendor you can demand or push to implement such functionality,” he said. “On the other hand, as the code is open, you always have the opportunity to contribute the required changes for everyone’s benefit.”

It’s worth noting that Aiven is one of the companies that joined the Amazon-led OpenSearch project, a fork that came to be after Elastic switched Elasticsearch to a more restrictive server side public license (SSPL) that prevented cloud service providers (such as Amazon’s AWS) from offering Elasticsearch as a service.

Put simply, licensing is a perennial concern for open source developers across the spectrum.

“Most open source projects nowadays use a pretty narrow set of licenses, but there are some ‘commercial open source’ companies that muddy the waters between open and proprietary licenses, so it’s important to make sure you don’t start building on top of something that limits your future business opportunities,” Saarenmaa explained.

“When it comes to starting to build something new directly on top of open source technologies, it’s important to understand what exactly the role of this technology is, how it’s licensed, and how it’s supported,” Saarenmaa continued. “If it’s a critical piece of technology, you should look to use popular open source technologies that are developed by a wider community of contributors — in case one contributor or company steps away, there are others who can step in.”

There are numerous recent examples of “bait-and-switch” activity, in which a company that built itself on an open source ethos changes the terms of engagement further down the road. MongoDB, for example, created the SSPL back in 2018 to enforce the exact same types of restrictions Elastic pursued — essentially, stopping large cloud providers from profiting off open source without giving back. MongoDB tried to pass SSPL off as open source but withdrew its application to the open source initiative (OSI) the following year. The OSI has also called SSPL “fauxpen source” — proprietary software that masquerades as open source.

Justin Dorfman, open source program manager at cybersecurity company Reblaze, said there is ultimately nothing illegal about this kind of license switching and that the “risk is minimal” for companies engaging in the practice. In fact, it might actually be good for business — MongoDB’s market capitalization has gradually risen from around $4 billion at the time of its license switch to an all-time high of $25 billion this past February.

So is there anything that can or should be done to counter this trend? It won’t be easy, but Dorfman says education could help.

“The community should be educating computer science students early on, encouraging them to become members or volunteers of the OSI, and providing more clarity as to what open source truly is and what it isn’t,” he said. “Just because you can see the code on GitHub or GitLab doesn’t mean it’s truly open source. This still doesn’t protect a project from switching when it’s convenient for them, but the more that they are aware of ‘open source’ versus ‘source available,’ the better.”

Big tech meets open source

At the top of the technology food chain, numerous companies have created billion- and trillion-dollar businesses off the back of open source software. Facebook, for example, was built on open source technologies from the get-go, with the likes of Linux, Apache, MySQL, and PHP serving as the building blocks for what is now one of the 10 most valuable companies in the world.

“Much of the technology we build to power our datacenters, AI and machine learning architecture, or developer tools would not be anywhere as robust, reliable, scalable, or feature-rich as they are without the feedback, contributions, and collaborative energy of countless companies, communities, and individuals we work with in open source,” Facebook open source head Kathy Kam said.

On the flip side, the social networking giant has also open-sourced dozens of its own internal projects, including React, a JavaScript library for building user interfaces that is now one of the most popular open source projects in the world. “Using open source — and making open source available — enables all of us to build better software together,” Kam continued.

Above: Facebook likes open source

But why would a company open-source some of its technologies and not others? What factors are at play here?

“Many companies open-source non-differentiating parts of their technology to drive adoption for the differentiating, closed-source parts of their technology,” Kam explained.

This means any technology a company has developed to support a core function of its business, but which isn’t a direct competitive advantage in itself, might be better off as an open source project. In the community, it can benefit from the input of thousands of developers who might also contribute to an ecosystem of products that support the original company’s core product.

However, a company of Facebook’s size may have any number of reasons for pushing a piece of software into the open source sphere.

“When it comes to open source, Facebook’s focus is a bit different,” Kam added. “Our mission is to give people the power to build community and bring the world closer together. Realizing this vision at the scale and complexity of billions of users worldwide requires that we collaborate openly with diverse external stakeholders to meet these challenges head-on.”

While there is often a degree of altruism involved when big tech companies elect to open-source one of their technologies, these players usually stand to benefit somewhere along the way — by spurring activity in a particular space, for instance. By way of example, Facebook open-sourced Magma in 2019 to help telecom companies more easily deploy wireless networks in remote areas, a project that was eventually taken over by the Linux Foundation. How might this benefit Facebook? Well, getting people online means they can access Facebook services. This strategy is further evidenced by Facebook’s significant internet infrastructure investments spanning subsea cables and satellites.

Embracing open source can also help businesses attract top technical talent — developers generally like all things open source. Martin Traverso worked on Presto for nearly seven years while he was at Facebook. “The open source community has a very ardent following of really talented developers and engineers,” he said. “During my time at Facebook, many engineers cited the company’s involvement in, and contribution to, open source as a reason for joining the team. There’s also a lower ramp-up cost for developers joining the company if they’re already familiar with the technology.”

Show me the money

There have been several billion-dollar exits in the commercial open source software (COSS) space in recent years, including enterprise-focused Red Hat, which IBM snapped up for a cool $34 billion and Mulesoft, which Salesforce took over for $6.5 billion. Throw in the countless other businesses drawing in sizable investments for their affiliations with the open source world, and it’s clear investors are crazy for open source, though that wasn’t always the case.

So what has changed? According to Two Sigma Ventures VC Vinay Iyengar, the cloud has played a major role in this transformation.

“Historically, successful COSS companies, most notably Red Hat, made money from selling technical support to their customers,” he said. “This was never a super compelling or scalable way to build a large software business. Over the years, however, the rise of the cloud has allowed COSS vendors to sell their software as a managed service. Companies like MongoDB, GitHub, and Cloudera were early pioneers in leveraging this ‘open core’ model successfully, paving the way for a new, and far more compelling, model of COSS monetization.”

Two Sigma Ventures has backed a number of notable players in the open source and open core spheres, including DevOps powerhouse GitLab and Timescale, a time-series database operator that recently announced a $40 million tranche of funding. The VC firm also launched the Open Source Index, a useful tool that showcases the most popular and fastest-growing open source projects on GitHub, allowing users to sort and filter by various criteria.

Open Source Index: Top 10 by TSV ranking

Above: Open Source Index: Top 10 by TSV ranking

Such data can prove useful for companies looking at which communities are most active, metrics that can help determine which open source technologies are worth building a commercial business on top of. For Iyengar, that is one of open source software’s core selling points.

“Generally speaking, COSS companies have large preexisting communities and lots of developer love before they even begin to sell their commercial offerings,” he said. “This leads to remarkably efficient customer acquisition and bottoms-up growth compared to closed-source equivalents. Additionally, many of these projects constitute a core part of an enterprise’s infrastructure, making them very difficult to replace once implemented.”

This, according to Iyengar, leads to “great net retention dynamics” and lower churn. “We have seen this time and time again, especially with some of the new COSS pioneers like HashiCorp, Confluent, and Databricks,” he said.

Many of the major VC and private equity firms have already gone all in on companies that monetize open source tools in some way. And there is at least one investor dedicated entirely to COSS startups — Joseph Jacks is the founder and sole general partner at OSS Capital.

“We invest exclusively in COSS companies, defined as ‘any given company that would not exist without the co-existence of a given open source core technology,'” Jacks explained. “We are technology-agnostic and vertical-agnostic investors — as long as the company meets this abstract definition, it fits our strict investment thesis.”

OSS Capital’s most recent investment was a new open source developer tool platform called Rome that launched with $4.5 million in seed funding.

While OSS Capital is mostly focused on pre-series A investments, the COSS space has generated numerous billion-dollar companies in recent years. Investing in an early-stage company may incur higher risks, but the rewards could be significant. For now, Jacks said he’s happy to have OSS Capital fly under the radar.

“Since our founding, we have made around a dozen investments,” he said. “We have intentionally kept a low profile on announcing investments since our focus today is at the pre-A stage.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.