Open-Source Vs. Commercial Software: A False Dilemma

There's a religious war between the defenders of open-source and commercial product supporters. Ultimately, the question is really one of requirements.

Michele Chubirka, Security Architect

May 14, 2014

3 Min Read

When the question of whether or not an organization should use open-source or commercial products arises, the discussion frequently seems to focus on extremes.

These positions are usually based upon a number of myths regarding both sides. There appear to be very specific stereotypes surrounding the types of consumers of open-source vs. commercial off-the-shelf (COTS) products. Open-source users are often viewed as strapped for cash, usually in the academic or non-profit realms, therefore willing to accept the risk involved with a product that isn't backed by a profit-driven company. Enterprise users are perceived as needing the stability and certainty that come in the form of a support contract with a commercial product.

But is this really the case or are the lines much blurrier regarding the seemingly large divide between open-source and commercial products?

There's a religious war that inevitably ensues between the defenders of open-source and commercial product supporters. The open-source guys are seen as being in it for love. They work harder to find solutions, unimpeded by the demands of commerce -- i.e., shareholders. COTS people proclaim their products are more dependable. After all, they've been rigorously tested prior to release and provide 24x7 support options for customers who can't afford service problems due to software bugs. But is this really the case?

At least in the security realm, problems don't discriminate between the commercial and open-source realms -- neither are exempt from embarrassing vulnerabilities. One only has to make a cursory examination of the latest US-CERT notifications to debunk that myth. There are plenty of commercial products that make appearances alongside open-source, even with their bug bounties and impressive security budgets. Profit-driven or not, humans write software and they're prone to error.

[For more insights on open source software, read Open Source's Deep-Seated Conflict.]

As for documentation, technical writing is a difficult skill that few on either side seem to master. Most in the industry would admit to documentation gaps in open-source as well as with commercial products. And when that product documentation can sometimes weigh a metric ton or be comparable in length to War and Peace, it really isn't very effective anyway.

Regarding customer support, just as commercial products offer tiered options, open-source products also have this capability. Sometimes it may be through a third-party, or more often a company may have commercial and community editions such as Rapid7 and One is licensed and sold with official support offerings, while the other uses crowd-sourced assistance via user groups.

What many professionals also often forget or fail to grasp is that open-source software usually forms the foundation of many commercial products. Take the offerings from the Internet Software Consortium (ISC): Almost every implementation of DNS is ultimately based upon their original BIND software, as well as DHCP. Would we even have some of the robust commercial solutions of today without the efforts of pioneers such as Paul Vixie and Eric Allman?

Ultimately, the question is really one of requirements. Which one will best meet the needs of the organization? Would it be better served with an open-source product that can be customized to meet a very specific use-case or is it more appropriate to give up the perfect for the good? How much time and resources can a business afford to spend on custom solutions, which often demands cultivating a savvy workforce who can deploy and manage it? However, do you need to blow your budget on commercial options for every problem? There are levels or subtlety involved in these decisions that can't be resolved by black-or-white thinking. The choice between open-source and COTS is usually a false dilemma with the reality being that they aren't mutually exclusive.

Could the growing movement toward open source hardware rewrite the rules for computer and networking hardware the way Linux, Apache, and Android have for software? Also in the Open Source Hardware issue of InformationWeek: Mark Hurd explains his "once-in-a-career opportunity" at Oracle.

About the Author(s)

Michele Chubirka

Security Architect

Michele Chubirka, also known as Mrs. Y, is a recovering Unix engineer with a focus on network security. She likes long walks in hubsites, traveling to security conferences, and spending extended hours in the Bat Cave. She believes every problem can be solved with a "for" loop. She also hosts a podcast called Healthy Paranoia, a security feed of Packetpushers. You can find her blogs and podcasts at or When not blogging or podcasting, she can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights