Rita Manachi contributed to this blog post.
Over the past two decades, adoption of open source software (OSS) among enterprises has become commonplace. In fact, because of the many advantages of open source, it is now almost impossible to find a business that does not rely on OSS. And with the proliferation of modern cloud native apps and microservices, this is only more true. Modern applications are built with open source, and you wouldn’t want to do it any other way. The key to using open source responsibly is to ensure those apps are being built reliably, safely, securely, and sustainably. This article outlines some of the common challenges of using open source, and introduces best practices for managing them.
Open source in the enterprise
The unique benefits afforded by OSS make it the preferred choice among enterprise developers, infrastructure and operations (I&O), and managers alike. According to the State of Software Supply Chain 2022 study conducted by VMware, 99.8 percent of the 1,198 OSS stakeholders that were interviewed reported that they benefited from using OSS and consider cost-efficiency, increased flexibility, and support from a large user community as the top benefits of using OSS. Furthermore, in the VMware-commissioned Forrester study Elevating the Developer Experience, of the 651 global IT/engineering and line of business decision makers, easy access to open source software was rated as the second most important factor needed to have a significant and positive impact on developer experience.
OSS expectations align closely with the actual benefits. (Source: The State of the Software Supply Chain: Open Source Edition 2022)
Regardless of their industry or the size of their company, developers today are often left having to piece together several components in order to build modern applications and services. Developers can turn to a massive landscape of open source or commercial versions of the building blocks they need to create great software, be that from databases, streaming and messaging services, API gateways, and/or service meshes. But is OSS adoption effortless and straightforward? Are the many enterprises that have adopted OSS soaring high without any worries or issues?
Even with all of these benefits to developer productivity and innovation, OSS can bring its own unique challenges to platform teams. However, you can overcome the issues posed by OSS if you follow some of the best practices outlined below, starting with “choosing well” and managing your software supply chain.
Smart adoption of open source software starts with choosing wisely. For each use case, developers often face a wealth of options: selecting the right software requires due diligence and a careful analysis of the risks and opportunities posed by each potential choice. Adopting open source software adds another supplier to your software supply chain. So, to truly empower developers with the flexibility they deserve, the platform team needs to vet the supplier to ensure quality, security, conformance, and more. Reviewing the project’s governance, licensing, and operational practices can provide insights into the health of the project and clues to any adoption risks. If you’re unwilling or unable to complete a thorough vetting process, look to a partner or vendor to do that work for you.
Standardize usage across the organization
While enjoying the flexibility offered by the many choices in the OSS ecosystem, it is easy to be overwhelmed by the options as well. The platform team should try to ensure standardization of OSS adoption by mapping the modern application development needs to specific products and ensuring that the same is used by development teams across the enterprise. For example, if Advanced Load Balancer is found to be well-suited as a load balancer to an organization, or RabbitMQ is found to work the best as the message broker, the platform team must try to standardize the adoption of Advanced Load Balancer and RabbitMQ as the load balancer and message broker respectively, across the organization and make them easily available to developers in whatever format they need. Although not easy to implement, standardizing OSS applications substantially accelerates the time to market for new releases and also acts as a key enabler in enterprise-grade OSS adoption.
Find efficient ways to keep OSS images updated and secured
The vast user base and wide popularity of OSS applications mean that there are frequent updates made to the project—updates so frequent that a project may have multiple versions released within the same day. While this is truly fruitful, it often makes the lives of the platform team quite difficult. The platform team has to continuously check for updates, evaluate the importance of each release, and include remediations to critical vulnerabilities and push them into their environments. The greatest challenge is to find an efficient way of doing this because the very thought of performing this repetitive activity manually, day in and day out, can be tiring. Ideally, a reliable pipeline has to be built to ensure that the latest and most secure versions of OSS applications are being used. Another critical box to be checked is that these frequent updates are tested for functionality and performance in the needed environments before being used.
Gain deep visibility into the software supply chain
With the increase in OSS adoption, invariably, the complexity of the software supply chain also goes up. And as the complexity increases, the likelihood of being affected by software supply chain attacks also increases. The best way to augment your company’s security posture and deal with this increased complexity is to ensure that you have deep and reliable visibility into all components you use through a detailed software bill of materials (SBoM). Ideally, an SBoM should include details like proof of provenance, dependencies, version history, common vulnerabilities and exposures (CVEs), patch status, and more (which should help ease the workload for security and compliance teams). Generating an SBoM at an enterprise scale may not be the easiest of things to do for platform teams, but nevertheless, it’s an invaluable tool for helping to ensure sustainable, secure, enterprise-wide adoption of OSS.
If you’re a platform or an I&O leader looking to improve the way your organization uses OSS, you might want to check out VMware Application Catalog. VMware Application Catalog eases the work of platform teams by handling all the day zero activities involved in working with OSS and to promote OSS adoption in a secure, enterprise-grade manner. To learn more about how you can benefit from VMware Application Catalog, watch this on-demand webinar. If you’re interested in learning more about open source software best practices, hop on over to the VMware Open Source blog.
About the AuthorMore Content by Bala Bharathy U