Open source software, such as the Linux OS, the WordPress CMS, and thousands of different cyber security tools, has exploded in popularity. Black Duck’s 2017 Open Source 360° survey found that 90% of organizations use open source software, and 60% of respondents reported that the use of their organization's open source software had increased over the previous year.

Cost savings, lack of vendor lock-in, and better security are the top reasons many enterprises are choosing open source software over proprietary, vendor-licensed solutions. However, open source solutions aren’t free, and they are only as secure as the human workers who are overseeing them.

In broad terms, “open source” refers to software that anyone can freely download, install, modify to suit your needs, and share with others. You can install it on as many computers as you want without having to keep track of or purchase licenses. However, you’ll still likely incur both direct and indirect costs. In some cases, these costs may not be lower than deploying a proprietary solution, especially when dealing with a security solution.

While the open source software itself may be “free,” you’ll still need to purchase the hardware and IT infrastructure to run it. For example, you may find that the software does not meet your company’s requirements after you install it and you must upgrade to a paid version or purchase add-ons or extensions. These types of upgrades can be costly. For example, enterprise users of the Elastic Stack open source platform must purchase the X-Pack security extension to properly secure their installation.

The opportunity costs of open source

Some open source solutions are built specifically for test and dev environments, and in these cases, you may not need the fancy bells and whistles that a UI or UX designer might create. However, business solutions, especially those that are client-facing, will likely need a lot of additional development time to make sure the open source solution meets the original vision.

Development and customization require huge time commitments from any enterprise that chooses the open source path. While organizations don’t need to follow the well-traveled road of proprietary software solutions, remember that once you start heading down the road less traveled, you have to be more dedicated.

Open source software is DIY. You must properly install and configure it, take the time to perform the modifications you want, and train your employees on how to use it. If you get confused, or something goes wrong, you can’t just call a toll-free number and have a trained, professional technical support rep walk you through it.

While one of the alleged benefits of open source is access to support from a large user community, it’s your responsibility to search for the specific help you need. The sheer amount of information can be overwhelming; think searching on message forums with thousands of posts going back years. Additionally, this support is provided by users with varying degrees of expertise; those who are purporting to help you may know less about the product than you do, or they may not fully understand your specific problem.

These types of overlooked costs continue throughout the life of your software. Just like a proprietary security solution, open source software requires ongoing maintenance and user support. When using an open source security package, you’re on your own, which means you need to devote time and human resources to downloading and installing patches, troubleshooting problems, providing continuous training to existing users, and onboarding new ones.

Lack of oversight causes security issues

Open source software makes it harder for malicious actors to target a widely stretched attack vector due to the numerous variations between different open source solutions. However, just like proprietary software, open source solutions require oversight from your technology owners; they cannot be installed and forgotten. The Equifax breach was traced back to the company not installing a critical security patch for the open source Apache Struts web framework. Yet over 60% of respondents to the Black Duck survey admitted that their organizations either did not have a formal process for managing their open source software or that they were unaware of one. The recommendation for today’s organizations is to build stronger security controls and not rest upon the obscurity of open-source solutions.

This lack of defined processes and established baselines causes problems across the board (just ask Equifax), but it is especially problematic when dealing with open source security tools. Without establishing a baseline of normal network activity, it’s impossible to detect the anomalies that indicate a cyberattack. Without a formal response process, it’s impossible to effectively respond to and remediate attacks. These issues are complicated by the possible presence of “snowflake” servers that require manual patching and configuration. Due to the diversity of open source products, it is impossible for any single employee to have a strong foundation in all of them, requiring organizations to commit a portion of their budget to training.

Resource questions to address

Following are foundational questions you should ask when considering open source security solutions:

1. Does your enterprise have the internal resources to implement an open source security solution with no professional support from the vendor? One of the biggest mistakes organizations make when switching to open source is underestimating the time and human resource commitments involved. As the demand for experienced IT and security talent grows, enterprises lack the internal resources to implement and manage their open source software.

2. Does your enterprise have the internal resources to devote to user training? When organizations attempt to roll out open-source solutions, users are heavily impacted. A considerable investment must be made to train everyone within the organization. IT support teams, business operations, and remote employees often take the biggest hit here.

3. Does your security partner support both proprietary and open source platforms, and do they have expertise in open source? Many security providers cannot demonstrate expertise in solutions outside of proprietary “Magic Quadrant” tools.  

In the end, security tools, whether open source or commercial, are just that, tools. They do not take the place of human workers and will do you no good on their own. You still need skilled security professionals to properly implement them, interpret the data they collect, and glean actionable information to protect your enterprise systems.

Andy Jordan is a Special Project Lead at Mosaic451, a managed services provider that focuses on maintaining and protecting critical IT systems. Andy has built and managed multiple security programs for numerous large and small organizations throughout his 10-year career.