The True Cost of Open Source Software Uncovering Hidden Costs and Maximizing ROI White Paper February 2010 The True Cost of Open Source Software Uncovering Hidden Costs and Maximizing ROI Distilling the Debate: Is Open Source Software for You? Do you know what open source you’re running? If not, you are not alone. As systems administrators and If you have researched open source software, even just a little, you’ve likely encountered two distinct worldviews: believers and skeptics. Believers celebrate open source as free, collaborative code. In this paradigm, open source software isn’t just a free licensing model; it is a movement for building better, more flexible software. But, that’s just one side of the story. Open source skeptics raise compelling counterarguments for why open source software and the enterprise don’t mix. So, where does this leave you, especially if you are tasked with deciding whether or not to implement open source software in your organization? In this paper we’ll delve deep into both arguments and provide practical tools to help you decide whether or not open source software will be a good return on your company’s investment. We’ll also present solutions for bridging the gap between “believers” and “skeptics” in your organization, and for reducing risks that go hand-in-hand with running open source software in the enterprise. The Appeal of Open Source To determine whether or not open source software is the right choice for your organization, you must weigh the pros and cons. Let’s begin with pros—the tangible benefits that have significantly increased open source adoption in the last decade. Analyst firm Gartner predicts that 90% of enterprise software development businesses will be using open source software by 2012.1 But, it’s not just software development firms that are warming to open source software. Adoption is on the rise in all business verticals, from financial institutions to government agencies. In the last two years, for instance, open source has become prevalent in large, traditional financial institutions like Credit Suisse, Bank of America and Goldman Sachs. Similarly, the Department of Defense (DoD) and Department of the Navy (DoN) report that a variety of open source software programs are in operation in both classified and unclassified environments inside their organizations.2 These are some primary reasons why open source software has become so prevalent. 1. Free licenses. The driver for many organizations is free software licenses. When licenses are free, businesses cut initial hard costs of product and project development. Businesses are under terrific pressure to cut costs and open source software offers a concrete way to significantly slash budgets. A 2008 Forrester Research study reported that CIOs regard lower costs as the main reason for using open source software in their organizations: “It is not just the cost of the [commercial] license, but also the fact that [you] have to pay between 20 and 25 percent of the value of the license per year on an annual maintenance agreement with commercial products,” says senior Forrester analyst, Jeffrey Hammond.3 In today’s tough economic environment, the lure of free software licenses is hard to resist. Additionally, because open source software is free, it’s very easy to acquire. Developers simply download the code and can immediately start working. There’s no lengthy procurement processes to slow down developer productivity. 2. Own the code. Under the GPL—the General Public License that allows developers to use open source software for free—you have full access to the open source code you use. That means you can freely change the code and add new functionality whenever you want. Plus, anyone can make alterations to open source software; you are not obligated to work with specified third-party vendors who often charge exorbitant prices for custom work. 3. Software quality is continually improving. Despite skeptics’ fears about the quality of open source code, there is plenty of evidence that the overall number of defects in open source code drops over time.4 As open source communities collaborate the code base inevitably improves; bugs are fixed; features are added; it achieves faster performance and integrates more seamlessly with other systems. When you “buy in” to open source software you don’t just get the code you implement today. You get what the software will be tomorrow, next year and a decade from now. The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 1 4. Code stability. In the enterprise, dynamic open source languages—like PHP, Perl and Python—are the most popular “flavor” of open source. According to a 2010 Forrester survey, 57% of developers surveyed have used dynamic languages in their development work.5 As such, popular programming languages have considerable momentum behind them with millions of developers working on the code. With so many people dedicated to these open source projects, their viability is not in question. Unlike commercial software vendors, there’s virtually no chance that established open source languages will vaporize when economic times are tough. 5. Draw on the open source community for help. When you implement, alter and add to open source software, you become part of a thriving community of passionate software developers. This philosophical take on open source may seem banal from a business perspective, but it offers some real technical advantages. As part of a community, you can solicit help in discovering and building new and useful functionality. You’re not at the mercy of commercial vendors who may never make improvements or upgrade their software to integrate more smoothly with other systems, achieve faster performance, or combat new security threats. Open source is synonymous with freedom. Not just free licenses, but freedom to alter and improve the code base and to benefit from others who do the same. “Believers” view open source software as self-sufficient technology that removes development barriers and improves the overall quality of software projects. Obstacles and Risks Yes, open source licenses are free and anyone can alter and improve the code to fit their needs. But, there can be risks and unpredictable outcomes when open source software is not factored into the overall business strategy. For open source to work for an organization, developers and managers must be on board to ensure that both the technical and business demands of open source software are properly managed. So, to balance the debate, here are the cons—the problems that frequently result in cost overruns, technical roadblocks and business interruptions. If you’re considering implementing open source software as part of your IT strategy, don’t overlook these potentially troublesome issues. 1. Open, Not Free. “Just because something is free does not mean that it has no cost,” says Laurie Wurster, a Gartner analyst.6 Many companies are blinded by free licenses and ignore the true cost of open source software. Licenses are free, but the software doesn’t run itself. To get an implementation up and running smoothly you’ll need experts— in-house or consultants—to complete the installation and complex integrations. Like any software implementation, open source projects, if not managed properly, can stretch development budgets. 2. Code maintenance. When you use open source software, there’s no proprietary software vendor maintaining the code for you. It’s up to your team to install updates, make security fixes, implement new modules, and more. But, when your IT team is already stretched with core development projects and under tight delivery deadlines, open source software maintenance can go by the wayside. This quickly becomes problematic. If you don’t make open source code maintenance a priority, the quality of your software project can deteriorate: security patches aren’t installed and bugs don’t get fixed. With the continual uptake of open source software in the enterprise, companies are offering commercial or “hybrid” versions of open source that include technical support and maintenance services, so the burden of maintenance doesn’t need to fall entirely to in-house development teams. 3. No support contracts. Open source software doesn’t come with support. When you’re on a tight development schedule, a lack of formal support can put your project at risk. The open source community is typically helpful and will likely respond to your questions and queries. But, these developers are under no obligation to do so in a timely manner. This is especially problematic if your company uses open source software in mission-critical applications, or if you use open source software in commercial products. Without 24/7 technical support in place, your own product’s time to market may lag. Even worse, uptime can suffer and your customers will feel the negative effects. Alex Wied, head of Accenture’s Innovation Centre for Open Source, says investing in professional software support--even for open source software--is critical: “It is essential that there’s a trusted vendor, behind each software, that secures technical support regardless if proprietary or open source.”7 The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 2 Similarly, the DoD and DoN have initiated a policy that strongly encourages all open source software to be professionally supported, either by someone inside those organizations or by a third party. To mitigate the risk of open source software going bad, you must invest in support services, an oft forgotten line item in open source implementation budgets. 4. Legal liability. You don’t have to pay for open source licenses, but you must license the open source software you use in enterprise products. Although open source licensing terms have nothing to do with money, they can put restrictions on how you distribute your product. With dozens of open source licenses to choose from (GPL, Artistic, LPGL, Creative Commons, BSD, to name a few), managing licensing is notoriously confusing. It can be an administrative headache and opens your business up to legal liability. If you misinterpret licensing requirements, you could unwittingly wind up in an embarrassing and potentially costly legal battle like Cisco did in 2008 when the Software Freedom Law Center filed a copyright infringement lawsuit against Cisco Systems for violating open source software license agreements. Under the terms of the General Public License (GPL), distributors of enterprise software that use open source code must make the open source code available with their software distribution. Cisco failed to do so. The company ultimately settled the lawsuit by making a monetary donation to the Free Software Foundation and by appointing a Free Software Director to conduct continuous reviews of the company’s license compliance practices.8 Even if a licensing debacle doesn’t lead to litigation, your company could be fined, or worse, your organization’s reputation could be damaged resulting in negative PR, even a drop in share prices. In theory, it should be easy to document open source usage in an organization and license it correctly. In practice though, most organizations fall short. A 2008 Gartner survey reports that the majority of businesses using open source software have no formal policies in place for cataloguing open source software usage in their businesses. That’s because open source software doesn’t go through the same procurement process as proprietary software. Developers can download it from the Web and use it without managers even knowing it’s there. Of course, if you don’t know what open source software you’re running, you can’t be licensing it correctly. Gartner analyst, Laurie Wurster says to avoid liabilities, “companies must have a policy for procuring OSS, deciding which applications will be supported by OSS, and identifying the intellectual property risk or supportability risk associated with using OSS.9 Especially if you have a commercial product out in the world, the chance of users discovering open source embedded in your software is high, which makes using open source software in enterprise products a risky proposition without proper licensing. To mitigate this kind of legal risk, software development companies are beginning to enlist the help of third-party licensing experts who make sure open source software licensing is in place and accurate. Free software licenses and flexible, extensible code is hard to pass up. But, when you factor in the time and financial costs of implementation and maintenance, plus the lack of formal support and potential license infringement, it’s clear that unless managed properly open source software may have a higher price than developers and managers expect. The True Cost of Open Source Both arguments have valid claims. So, where to start in making your realworld evaluation? Too many companies jump on the bandwagon without fully understanding the true cost of an open source implementation. Or, conversely, they avoid open source altogether thinking that the risks are too high. In a 2008 Computer Weekly article about open source liability, Gartner shares survey results from 274 companies around the world. Gartner measured high open source software usage, but found that most (69 percent) of companies were not measuring the cost of their open source usage. So, let’s look at some hard costs of open source software. We’ll also look a hybrid approach—enterprisegrade open source software delivered by a third party, like ActiveState, which offers technical support, indemnification and redistribution rights along with best practices development expertise for dynamic languages including Perl, Python and Tcl. The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 3 Total Cost of Ownership A key component of project success is being able to estimate total cost of ownership (TCO). TCO includes much more than license acquisition costs; there are significant, ongoing costs associated with implementation, training, maintenance, support and legal licensing. If you don’t take all these costs into consideration, you will come up against surprise cost overruns that can threaten project success. In the tables below we compare two ways to implement open source and the costs associated with them: pure open source and ActiveState’s managed open source solutions. With numbers from the chart and formulas below, we can use this formula to calculate TCO: A = Acquisition costs I = Implementation costs M = Maintenance/support costs L = Legal costs A + I + M + L = TCO Costs Open Source Dynamic Language Enterprise Dynamic Language Solutions by ActiveState Acquisition Cost (Software Licenses) None None Training Developer salary * days training Developer salary * days of training Development Developer salary * development months + fixed costs of in-house open source expert Developer salary * development months+ fixed costs of in-house open source expert Maintenance and Support Full-time salary + fixed costs of in-house open source expert or consultant fee Annual ActiveState Enterprise solution fee Legal (Distribution Rights and Indemnification) Time for license audit/building governance process + potential license infringement risk costs Annual ActiveState OEM License solution fee + Indemnification coverage fee The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 4 The sample calculations in the following chart are ballpark figures and may not accurately represent your project, including how much training and development hours are required. However, they provide a basic cost comparison between two open source deployment methods. In this case we compare the cost of using pure open source Perl and ActiveState’s Perl Enterprise distribution. The following table shows typical costs for a small development project. Costs Open Source Dynamic Language Enterprise Dynamic Language Solutions Savings with ActiveState Acquisition Cost (Software Licenses) None None None Training 10 days of training based on an annual salary of $100,000 = $3,790 5 days of training based on an annual salary of $100,000 = $1,895 Development 1 full time engineer for one year = $100,000 annual salary + $20,000 annual fixed costs for inhouse open source expert = $120,000 One full time engineer for nine months = $75,000 + $15,000 annual fixed costs = $90,000 50% 25% Maintenance and Support .5 full time engineer @ $100,000 annual developer salary + $20,000 annual fixed costs for in-house open source expert = $60,000 Annual ActiveState Enterprise solution fee, approximately $25,000 59% Legal (Distribution Rights and Indemnification) 3 days of engineer’s time for consulting with legal team + 40 hours for legal team to draw up legal documents = $17,000 Plus, the cost of potential legal fees should you be hit with an IP infringement lawsuit. Annual ActiveState OEM License and Indemnification coverage fee, approximately $14,000 18% $234,900 $147,950 Total (development accelerated by ActiveState support) PLUS If you become involved in a lawsuit, licensing costs could explode by 200 or 300 %. $86,950 in savings ActiveState pricing in the table above has been averaged and is for example purposes. Please consult with ActiveState to determine exact pricing for your project. The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 5 Obviously, the cost savings in reduced development time will scale as a project grows. Using the charts above as a reference, you can calculate real costs for your project using commercial software with this formula: Acquisition Costs = (Project Duration * Developer Seats) * Annual Cost per Developer Seat Implementation Costs = Training + Development Training = Number of Developers * Salary per Month* Number of Days Development = Number of Developers * Salary per Month* Number of Months Maintenance and Support = Annual Fee for Support Contract Legal Costs = None Calculate costs for a project using open source software: Acquisition Costs = None Implementation Costs = Training + Development Training = Number of Developers * Salary per Month * Number of Days Development = Number of Developers * Salary per Month * Number of Months Maintenance and Support = Salary of in-house or consulting open-source expert Legal costs = Implementing license audit/building governance processes Calculate costs for a project using commercial open source solutions. Contact ActiveState for a quote to complete an accurate calculation: Acquisition Costs = None Implementation Costs = Training + Development Training = Number of Developers * Salary per Month * Number of Days Development = Number of Developers * Salary per Month * Number of Months Maintenance and Support = Annual ActiveState Enterprise Solution Fee Legal Costs (Distribution Rights +Indemnification) = Annual ActiveState OEM LicenseFee+Indemnification Coverage The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 6 Five Principles for Maximizing Open Source ROI If, after considering TCO, open source software is an attractive alternative for your organization, then following these five best practice principles will put you on the road to successful, cost-effective open source software implementations. Use Good Quality Software Open source software is continually improving, but that doesn’t mean it’s perfect today. If the software you choose is not top quality, it can cause a ripple effect that can ultimately downgrade your product or project. Open source is simply a licensing model; it does not mean best practices, like incorporating open standards, are in place. If quality code is important to you—and it should be—do your homework and choose a tried and tested application or language distribution with a stellar reputation like ActiveState’s ActivePerl, a quality assured version of Perl that improves on pure open source Perl. Get Experts on Your Side As open source components become ubiquitous, developers are under pressure to learn a variety of dynamic languages. They become generalists. A broad understanding of dynamic languages may be enough to keep them running day-to-day, but when it comes to complex development, working with open source component experts, will save you time and money in the long run and steer your project in the right direction. Some organizations hire third-party open source experts as project partners while others bring expertise in-house. But, a full-time salary and fixed employee costs can be cost prohibitive. Plus, you may have a hard time keeping a full time open source component guru busy. Experts are most effective at key moments in development and implementation. For instance, you may need an expert when upgrading your software or launching on a new platform, but that expert’s time is wasted on day-to-day duties. Either way, a legitimate expert is worth the price. He or she will shorten development time and will limit costly snafus. Maintain Your Open Source Software Open source software must be nurtured. You have full access to the code, so it is your responsibility to undertake routine maintenance: make version updates, install security patches, add new modules, etc. Open source software development keeps moving and improving, so you must keep up with the latest versions. In the worst case scenario, developer attention starts to shift toward newer versions and features and organizations using older releases end up relying on code that is getting less and less attention, few bug fixes and less security attention. Staying on top of code maintenance will ensure that code quality does not deteriorate. Avoid Licensing Debacles At first glance, managing open-source licensing on your own seems straightforward, but it is complex and time consuming. First, you must determine top-level licensing. Then it’s on to deciphering module-level dependencies. Open source languages are made of up thousands of libraries, modules, packages and frameworks that are all licensed separately. You’ll need to develop processes for cataloguing open source software including version and release numbers, whether it’s used internally or will be distributed, whether it’s been modified, etc. There is the significant cost of developing this process in-house, or getting legal advice to ensure open source software licensing doesn’t become your downfall. It’s easy to ignore licensing, but the consequences are intellectual property infringement and unexpected costs. Don’t Rely Entirely on the Open Source Software Community for Support If you don’t have an expert on your team in the specific open source application or language you’re using, then solving technical problems can be difficult. Documentation is not always available, or helpful. Plus, you may need to wait days or weeks for the open source community to answer your queries. Research also indicates that up to 39% of information seekers never receive public replies to their queries.10 This principle requires that you either hire in-house expertise, or that you work with a third-party, enterprise-level support team that won’t leave you high-and-dry when issues threaten project success. The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 7 The ActiveState Answer Following these five principles is difficult. Especially when the particular open source component isn’t your core area of expertise and your team has other important tasks to focus on—like getting your product to market or implementing an internal system or solution. According to IDC analysts, an increasing number of organizations are subscribing to third parties to support open source software in their businesses. At ActiveState, we provide a safety net, by offering enterprise-grade language distributions for Perl, Python and Tcl along with commercial support, indemnification and distribution rights packages. Our open source language distributions are renowned for quality and are now the de-facto standards for millions of developers around the world. Like all open source code, ActiveState language distributions are provided free to the community. ActiveState’s enterprise-level dynamic language expertise and reliable support for Perl, Python and Tcl are designed to help organizations meet development deadlines and keep overall costs down by allowing developers to focus on their core competencies. ActiveState also provides Intellectual Property indemnification packages, which help organizations building business-critical and mission-critical systems, minimize legal risks, ensure compliance, and accelerate productivity. Enterprise-grade support and licensing solutions minimize the hardships associated with code instability, unreliable technical support and potential license infringement. From development troubleshooting to emergency in-production coverage, ActiveState support ensures priority access to open source language experts and includes unlimited incidents, guaranteed response times, and fixes delivered to you quickly. Don’t reinvent the wheel in-house; avoid budget overruns and blown deadlines. Instead, rely on our experts and commercial support and enjoy one more thing you don’t have to worry about. In addition, if you are distributing, selling or bundling software, hardware or devices that contain open source components, your organization may be exposed to serious legal risk. Through OEM licensing, ActiveState offers turn-key redistribution rights, indemnification, and commercial support to guarantee assurance to software and hardware vendors and their customers removing any risks associated with copyright infringement lawsuits. Contact ActiveState at 778.786.1101, or business-solutions@activestate.com for a complimentary consultation with ActiveState’s language experts. 1. Peter Judge, “Gartner: Open source will quietly take over”, ZDNet UK, April 4, 2008, http://news.zdnet. co.uk/software/0,1000000121,39379900,00.htm 2. DON CIO memo, “Department of the Navy Open Source Software Guidance, of 05 June 07” and DOD CIO memo, “Clarifying Guidance Regarding Open Source Software (OSS)”, October 16 2009. 3. Cliff Saran, “Tough times boost open source sales pitch,” Computer Weekly, December 9, 2008. 4. Chris Kanaracus, “Study Shows Open-source Code Quality Improving,” PC World Business Center, September 23, 2009. http://www.pcworld.com/businesscenter/article/172469/study_shows_opensource_ code_quality_improving.html 5. Jeffrey Hammond, “What Developers Think,” Dr. Dobb’s, January 16, 2010, http://www.drdobbs.com/ architect/222301141. 6. Antony Savvas, “Firms open to huge open source liabilities”, Computer Weekly, November 18, 2008. http://www.computerweekly.com/Articles/2008/11/24/233445/Firms-open-to-huge-open-source-liabilities. htm 7. Alex Wied, “Commercial open source is essential to enterprise IT”, ComputerworldUK, August 13, 2009. http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2443 8. Ryan Paul, “Cisco settles FSF GPL lawsuit, appoints compliance officer”, ars technical, May 21, 2009, http://arstechnica.com/open-source/news/2009/05/cisco-settles-fsf-gpl-lawsuit-appoints-complianceofficer.ars 9. Antony Savvas, “Firms open to huge open source liabilities”. Computer Weekly, November 18, 2008. http://www.computerweekly. com/Articles/2008/11/24/233445/Firms-open-to-huge-open-source-liabilities. htm. 10. Karim R. Lakhani and Eric von Hippel, “How open source software works: “free” user-to-user assistance”, MIT Sloan School of Management, July 12, 2002. 11. Anuradha Shukla, “IDC: Organisations adopt open source to reduce expenses”, Computerworld, September 29, 2009. http://news.idg.no/cw/art.cfm?id=073779BA-1A64-6A71-CE90B369D13FD0C2. The True Cost of Open Source: Software Uncovering Hidden Costs and Maximizing ROI © ActiveState Software Inc. February 2010 8 About ActiveState ActiveState empowers innovation from code to cloud smarter, safer, and faster. ActiveState’s cutting-edge solutions give developers and enterprises the power and flexibility to develop in Java, Ruby, Python, Perl, Node.js, PHP, Tcl, and more. Stackato is ActiveState’s groundbreaking cloud platform for creating a private platform as a service (PaaS), and is the cost-effective, secure, and portable way to develop and deploy apps to the cloud. ActiveState is proven for the enterprise: More than two million developers and 97% of Fortune-1000 companies use ActiveState’s end-to-end solutions to develop, distribute, and manage their software applications. Global customers like Cisco, CA, HP, Bank of America, Siemens, and Lockheed Martin look to ActiveState to save time, save money, minimize risk, ensure compliance, and reduce time to market. ActiveState Software Inc. 1700-409 Granville Street Vancouver, BC V6C 1T2 Phone: +1.778.786.1100 Fax: +1.778.786.1133 business-solutions@activestate.com phone: +1.778.786.1101 Toll-free in North America 1.866.631.4581 www.activestate.com