open source software: the infrastructure impact
TRANSCRIPT
Webinar Logistics
• Enable pop-ups within your browser
• Turn on your system’s sound to hear the streaming presentation
• Questions? Submit them to the presenters at anytime on the console
• Technical problems? Click “Help” or submit a question for assistance
Optimize your experience today
Featured PresentersOur knowledgeable speakers today are:
Alan ZeichickPresident & Principal Analyst
Camden Associates
Rod CopeChief Technology Officer
Rogue Wave
Open Source Software:
The Infrastructure
Impact
Alan Zeichick
Principal Analyst
Camden Associates
www.camdenassociates.com
@zeichick
We Have an OSS Problem You can’t manage what you don’t know about
You can’t secure…
You can’t patch…
You can’t warrant license compliance…
You can’t support…
You can’t certify…
You can’t improve uptime…
You can’t back up data…
You can’t improve performance…
OSS Is Everywhere According to one study of over 1000 companies:
65% leverage OSS to speed application development
55% leverage OSS for production infrastructure
65% contribute to open source projects, mainly in order to fix bugs or add
functionality to a project
67% actively encourage developers to engage in and contribute to open source
projects
47% have no formal process in place to track open source code
33% have no process for identifying, tracking or remediating known open
source vulnerabilities
Why Use OSS? Rarely is it about inspecting the source code!
With enterprise IT
You can see exactly what it is
You can interface with the community
Easier to customize
Freedom from vendor lock-in
Better auditability
In theory, better quality, security
In theory, better standards compliance
Multiple support options
Easier to try it out
In theory, more input into product road map
Oh, and maybe lower cost (i.e., licensing)
Balance Against… There is exploding complexity
The more OSS you have, the more complex the combination
There can be real security concerns
You can’t afford production outages
Or near-outages when software slows to a crawl
Much OSS is poorly supported, if at all
There aren’t always good training programs
Far too often, you are on your own
Unless a guru takes pity on you
That all means enterprise risk
OSS: More Than Linux! Popular open source platforms include:
Linux • Git • MySQL • Node.js • Docker • Hadoop • Elastisearch • Spark • MongoDB • Selenium • NPM • Redis • Tomcat • Jenkins • Vagrant • Postgres • Gradle • NGINX • Ansible • Kafka • Gitlab • Hbase • Chef • Tensorflow • Cassandra • Android • Eclipse • Spam Assassin • ClamAV • Lucene • Map/Reduce • Pig • WordPress • Chromium • Firefox • Cloud Foundry • CloudStack • Kubernetes • CouchDB • Mojito • Mono • Zend • webERP • Many more!
OSS categories are all over the place: Operating systems • big data • data analytics • databases • search engines • software
development tools • code libraries and SDKs • code repositories • IT operations • virtualization • accounting • containers • security • artificial intelligence • CAD and drawing • word processor • spreadsheet • mail client • graphics tools • blogging • so much more
Can you name all the OSS you have in production/deployment?
Biting You in the Butt License management
Security
Patch management
Maximizing uptime
Maximizing performance
Supporting the OSS
License Management There are many open source licenses
Some of those licenses have specific terms
This includes giving changes back to the community
Or that projects incorporating OSS code must be open sourced
Some are free for personal use, not commercial
Those licenses are true legal documents
Those licenses may cover derivative use
Like included components, SDKs or APIs
If you are acquired or audited, you need to know
What OSS you have
Which licenses you have
Are you fully in compliance with license terms?
Security and OSS In theory “many eyes make bugs shallower”
Bugs mean security vulnerabilities!
Not all OSS projects have many eyes
Not all OSS uses modern dev processes
Testing is not always up to commercial standards
Bad actors can study OSS for zero-day flaws Bad actors can fork, mislead, and/or insert flaws
Developers may not respond quickly to vuln reports Particularly a problem with forks
Very little awareness on forks or customized versions Security info sources are often general
Patch Management Updates are not always well-distributed
Groups may not respond quickly to vuln reports
Admins might miss reports of flaws, updates
Auto-update functions can be poorly implemented
It can be up to you to ensure that all OSS is at proper patch level
Challenging when dealing with programmatic components, like SDKs, APIs
Also on OSS installed on servers or embedded
And what about virtual machine instances? Templates?
Maximizing Uptime Plan configurations and changes carefully
Many OSS packages are brittle if misconfigured
Use lifecycle management tools
Use monitoring tools – use community guidance
Avoid beta releases
Train your employees on the OSS
Stay up to date on updates, patches and security
Be aware that each OSS may have its own stack
Software versions, dependencies, etc. – huge complexity
Carefully monitor hardware requirements, software dependencies
Retire older OSS
Maximizing Performance More memory, more CPU, more storage!
Not all OSS is tested for low storage, low memory, high CPU utilization
Clean out log files periodically
Make sure the code is properly compiled
Use agents on physical, virtual machines
Avoid beta releases
Use good monitoring tools
Understand the baseline so you can see if it degrades
Consider using containers to isolate packages
Optimize file systems
Monitor community forums
Supporting Your OSS Many models to choose from:
Use community resources
Train your own staff
Hire consultants
Some combination thereof
OSS is almost always “as-is” with no warranty
“Single throat to choke”
That’s why so many people use Microsoft!
You can’t choke a community’s throat
You can’t call them at 2am on a Sunday
And you certainly can’t sue them
So who you gonna call? Not Ghostbusters!
Get Professional Help If well supported, OSS is huge!
Can lower TCO
Can improve business agility
If not, OSS is a disaster!
Systems will fail
Data can be lost
The business will suffer
To mitigate risk – get help with your OSS
Thank you!Alan Zeichick
Principal Analyst
Camden Associates
www.camdenassociates.com
@zeichick
1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
Open Source Software:The Infrastructure Impact
Rod CopeCTO, Rogue Wave Software@RodCope
3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3
What it means to you
Open-source software is used within mission-critical IT workloads
by over 90% of the IT organizations worldwide,
whether they are aware of it or not.1
90%
…|
80%
Developers have deployed OSS in their apps in the past 12
months 2
Through 2020, the percentage of open source within IT portfolios relative to
either homegrown or licensed third-party solutions will grow by 30% compound
annual growth rate (CAGR).3
30%
52%
Of custom apps are built in 3 months or less 4
Average age of an [enterprise] app 5
20 yrs
1, 3: Gartner: What Every CIO Must Know About Open-Source Software March 20172: Forrester 2016 projections for AD&D March 20164: CIO How long to build a custom app? Feb 20165: SiliconAngle Oracle CEO 2025 industry predictions Oct 2015
4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4
Key OSS technologies in production
• Application servers
• Webservers
• Databases & big data
• Messaging / integration platforms
• Operating systems
• Private cloud stacks
5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5
OSS in infrastructure
Pre-OSS Post-OSSApache
Tomcat
Oracle
RHEL
Nginx
Node.js
MongoDB
CentOS
Lighttpd
Ruby on Rails
PostgreSQL
AIX
IIS
WebLogic
Oracle
RHEL
Same stack for many apps
Different stack for most apps
Web server
App server
DB
OS
Jetty
Play
Redis
Solaris
MySQL
6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6
OSS in infrastructure
Pre-OSS Post-OSSApache
Tomcat
Oracle
RHEL
Nginx
Node.js
MongoDB
CentOS
Lighttpd
Ruby on Rails
PostgreSQL
AIX
IIS
WebLogic
Oracle
RHEL
Same stack for many apps
Different stack for most apps
Web server
App server
DB
OS
Jetty
Play
Redis
Solaris
CouchDB
7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7
Common challenges: OSS in production
• Production outages or severe performance degradation
• Security breaches and vulnerable endpoints
• Lack of security mitigation procedures
• Unclear documentation and/or difficulty attaining OSS-specific knowledge
8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8
Cost of problems in production
• Average number of enterprise downtime events per month, costing $1 to $60 million annually 3
• Reduction in conversion resulting from a one second page delay 4
• Issues stemmed from improper configuration and/or problems within the environment 2
• Devs spend between 10 to 25% of time debugging errors discovered in Production1
5
1 ClusterHQ DevOps Testing Survey Nov 20162 Rogue Wave Software OSS Support Report Feb 20173 IHS Markit Survey Jan 20164 Akamai research 2015
80%
7%
43%
10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10
Gartner – What Every CIO Must Know About Open-Source SoftwareMarch 2017
Tackle open source (either commercially supported or self-supported) as inevitable investments that by being properly managed, will yield considerable total cost of ownership (TCO) and "business value" benefits. When unmanaged (or undermanaged), these same OSS technologies will instead introduce considerable technical, security and legal risks to the enterprise.
11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11
“Always on” with the right risk mitigation
• Cost of ownership assumed when managing/maintaining open source software in production
• Risk of running software without warranty is significant
• Benefit from the competitive edge gained by adopting OSS solutions by mitigating that risk
• Create and execute a strategic plan for supporting this software which you do not own and did not write
13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13
Choosing OSS support options• As OSS use grows, so will the number of support decisions to be made
• Best practices– Require a support plan for OSS
– Develop guidelines on type of support required depending on:
• Organizational skill
• OSS component characteristics
• Application characteristics
– Require that all OSS components are maintained (bug and vulnerability patches)
– Maximize productivity and efficiency: Integrate these aspects into OSS Management Policy and Processes
14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14
Types of supportA range of options exists for supporting open source software
Community support
Commercial support Mixed approaches
Self support
15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15
Understanding your risk profile
Your Criticalapplication
Technical risk License compliance Security Asset management
Skillset / expertise
App 1
App 2
App 3
16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16
Understanding your risk profile
Your Criticalapplication
Technical risk License compliance Security Asset management
Skillset / expertise
App 1
App 2
App 3
17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17
Next step
Develop your profile with a complimentary
OSS risk profile consultation
Sign up to speak with an OSS expert bywriting “YES” in the Q&A box.
Questions?Submit questions to the presenters via the on-screen text box
Alan ZeichickPresident & Principal Analyst
Camden Associates
Rod CopeChief Technology Officer
Rogue Wave
Thank you for attending
• http://www.informationweek.com/events
• 7 Questions to Select, Deploy, and Maintain Open Source Software Effectively
• 2017 Open Source Support Report
• OpenUpdate for OpenSource
Please visit our sponsor and any of the resources below: