Free Code for Sale: The New Business of Open Source

The future of open source is not Linus Torvalds.

It’s Marty Roesch.

In 1998, Roesch, then 28 and an engineer at telecom company GTE-I, created an open-source program called Snort for detecting intrusions into computer networks. Today, he sheepishly acknowledges that he’s a multimillionaire, having sold Sourcefire, the company he created to sell add-ons to Snort, for $225 million to security software leader Check Point. (The deal is expected to be finalized before the end of the first quarter 2006.)

Roesch’s road to riches—using the Internet to distribute open-source software for free and selling proprietary (closed-source) pieces that enhance the free stuff—is emerging as the most popular new business model in the software industry, according to venture capitalists. Call it the mixed-source model. On the surface, it would seem to offer the best of both worlds: CIOs get free software, and the companies developing the code get e-mail addresses from downloaders, so they can try to sell them proprietary add-ons. Venture capitalists love this model because they can invest their money in software that can be sold rather than in big sales staffs or expensive marketing and branding campaigns.

But in the rush to monetize the open-source model, these startups could be on a collision course with the communities that spawned them. When a venture-backed company builds both open-source and proprietary software under the same roof, it invites a showdown between the people contributing the free stuff (the open-source community) and the company looking for competitive advantage from the proprietary stuff. “It’s an inherent conflict of interest,” says Jo Tango, general partner at Highland Capital Partners, a venture capital company. “Whose additions to the software get approved? And how are those additions prioritized? Is it for the open-source product or the for-profit stuff?”

And that could lead to situations in which CIOs are seduced into using what seems to be free technology only to find they must pay to make it work down the road, says Michael Goulde, senior analyst for Forrester Research. Adds Tango: “This model has been around for years. It’s called a trial version.”

Proprietary software companies have been giving away trial versions of their software for years. But the code is closed, and the free versions are lesser versions of what you’d get if you paid full price. “That’s no different from what these so-called open-source firms are doing with their community [open source] and enterprise [proprietary] editions of their software,” says Barry Strasnick, CIO of CitiStreet, a benefits management company.

In other words, the free stuff becomes nothing more than a come-on. Adds Lee Hughes, CIO of Owens Forest Products, “My fear is that if a company has a free open-source version and a commercial version with enhanced features, the free version [may suffer] down the line.”

Why the Model Matters

Strasnick and Hughes wouldn’t be so concerned if open-source software were still a casual plaything for their developers trying to save money on a few Web servers. But open source has become a vital part of the CIO’s software acquisition strategy—especially when it comes to infrastructure software. Research company Gartner predicts that by 2010, Global 2000 IT organizations will see open source as a viable option for 80 percent of their infrastructure software investments. CIOs can’t afford to treat open source as a throwaway, and they can’t afford to do without support for the open source that becomes a vital component of their infrastructures.

But shopping for open-source software is a very different animal from the traditional software acquisition process. The company you’re buying from is a community, the references you’re checking when you’re doing your due diligence are postings on a bulletin board, and the developers posting them may not even be employed.

Conventional wisdom says you don’t want to see how your breakfast sausage is made, but CIOs are going to have to peek into the kitchen before committing themselves to an open-source diet. There are many different business models emerging besides mixed source (see “Your Guide to Open-Source Business Models” on Page 50), so CIOs will have to cast a careful eye on these companies and communities to predict whether they will still be around in a year or two. This is now critical business research for CIOs. It’s every bit as important as tracking Microsoft’s or Oracle’s stock price, acquisition strategies and upgrade announcements.

The Money Game

Roesch bristles when you bring up the fears CIOs have about “crippled” open source. He’s got a right to be touchy. Eight years ago, he single-handedly developed the core of Snort. Since then, he estimates that he has written 3,000 postings to the Snort discussion list and carefully built a large community of users (more than 2 million downloads and 100,000 active users, he says). In return, he got what every open-source developer craves: respect, recognition and the occasional free beer from grateful users at technology conferences.

Roesch got everything except money. And that was OK. For a while.

“I was never motivated by financial gain,” recalls Roesch. “It just ended up that way. People don’t develop open source for monetary gain. You develop it for reputational gain.”

Roesch could have used his reputation to land a high-paying job at a software company, but he liked working on Snort. So in 2001 he began courting venture capitalists to see if they would back his plans to start a company to support Snort. When he made the rounds, he says, there were no takers. “They wouldn’t go near it unless we had some [proprietary] intellectual content wrapped around Snort,” Roesch says.

Once he developed some proprietary management tools and a friendly GUI to run on top of Snort, Roesch got his money. And he’s never looked back, partly, he argues, because he has no choice. Snort competes against software from well-known, well-funded companies such as Cisco, and “if you’re going into a highly competitive area of software, as we did, you have to take venture capital,” he says, adding that others have built proprietary tools around Snort. “You’re going to have people who are going to try to ride on your coattails,” Roesch says.

So far, according to Roesch, no one in the Snort community has held his financial success against him. “I like writing code,” says Glenn Mansfield Keeni, a professional developer who contributes to Snort in his spare time. “I derive great satisfaction by contributing towards building a secure Internet. The code remains open source so there is no bitterness or feeling of being let down. If the commercial framework helps Snort take greater strides forward, that’s welcome.”

But others in the community wanted to guarantee that Snort would remain open. They formed a group in 2003 called Bleeding Snort to provide open-source intrusion-detection rules and definitions for Snort (similar to the virus definition files you download for your antivirus program). It was a prescient move. Sourcefire now makes its updates available to its paying customers first; others have to wait five days. And unlike Bleeding Snort’s updates, Sourcefire’s are no longer released under an open-source license. Companies that have built proprietary software on top of Snort (Sourcefire is not the only one) have to pay a fee to Sourcefire to get those updates now. But Bleeding Snort often beats Sourcefire to the punch with new rules, says Alan Shimel, chief strategy officer for StillSecure, a security software company that uses the Snort engine as part of its proprietary software. Shimel obviously has a vested interest in keeping the Snort engine open source, but he says “there were a lot of people in the Snort community who weren’t happy when [Roesch] formed Sourcefire. I’ve spoken to people inside Check Point who say they intend to keep Snort open, but as they say, the road to hell is littered with good intentions.”

For its part, Check Point’s website states that it is “committed to the Snort open-source community, and we look forward to growing the Snort solution and the Snort community in the future.”

But the fact is, not all open-source security software has remained open. A software package called Nessus was initially released under an open-source license in 1998, but the latest version (3.0) has been released under a commercial license (earlier versions remain available as open source)—though it is still free to users. Nessus’s original developer, Renaud Deraison, who, like Roesch, has started a company (Tenable Network Security), says his commercial customers pressured him to close the source. “Many of them had prohibitions against [open-source] software or had to jump through legal hoops to get permission for it,” he says. “What they want is quality, free software. The license is less important.” Though Nessus’s shift has brought criticism from some open-source advocates on discussion websites like Slashdot.org, Nessus usage seems not to be affected—at least not yet.

Meanwhile, CIOs—who are constitutionally skeptical of vendor promises—are worried about Check Point’s purchase of Snort. “It’s definitely a concern,” says Kirk Drake, vice president of technology for the National Institutes of Health Federal Credit Union, which uses Snort and Sourcefire’s add-ons. “But it’s no different from what we’ve seen before. We buy a good product, and it gets bought by another company and the product can change. And the pricing changes.”

According to Roesch, those who see mixed source as a Trojan horse for an inevitable march back to proprietary software are underestimating the power of the open-source community. “Check Point got one of the most tested and deployed code bases in the world, and if they manage it carefully they’ve got the community too,” says Roesch. “I would argue that the goodwill generated by Snort among users and developers probably outweighs the value of [the proprietary software], and I think Check Point believes that as well.” In other words, continuing to support an open Snort will cost Check Point less than alienating the community by closing the source.

The Trojan Horse Scenario

No one in the open-source community faults Roesch or Check Point for making money from open-source software. After all, “free as in free speech, not free beer” is the mantra of Richard Stallman, the father of the free software movement (now more widely known as open source). But the open-source community, though far from monolithic, can agree on one thing: No one likes companies that would try to use open source as a Trojan horse for fee-based proprietary software.

At some point in the near future, companies without a sufficient understanding of what makes the open-source community tick are going to test the limits of mixed source, predicts Geoffrey Moore, managing director of TCG Advisors, a consultancy. “I think there is a potential for backlash from the open-source community against companies that do not play according to the aspirations or ethics of that community,” says Moore.

Fallout from this kind of uprising could put a big hurt on a CIO’s infrastructure. For example, open-source projects could be left for dead by their communities, with no one left to support them. Then there’s “forking,” in which the open-source code base is used to start a new project that is incompatible with the original version. Finally, there’s the doomsday scenario: malicious hacking of a formerly open-source code base.

CIOs are concerned about getting caught in the middle of this fragile relationship—especially if their software provider goes under. “If I have some proprietary software, I have to worry about disrupting my infrastructure if I need to take it out and then find a replacement for it,” says Strasnick. But if the code is open, as is the case with Strasnick’s JBoss middleware system, users can take the code with them to another provider if the relationship sours.

“If JBoss decides to stop supporting my software,” says Strasnick, “I will have the source code, and I can simply go find someone else to support it.”

Why VCs Don’t Like What CIOs Want

CIOs prefer the open-source business model that Roesch couldn’t sell to potential investors: a services model in which the company sells support for a single, open-source code base.

“I like the services model because all my money goes into implementation and support,” says Strasnick. A few well-known open-source companies, such as Red Hat (Linux), JBoss (middleware) and MySQL (database), are built around this model. But because the software code base is open to anyone, barriers to entry for competitors are low.

These companies have to be extremely lean and mean to go up against comparable proprietary software companies. “CIOs expect to pay less for open source,” says Forrester’s Goulde. “It has to provide 30 to 50 percent savings.” That would seem easy when the software is free, but the software usually isn’t free for the companies that support it; many must provide their own employees to lead, manage and code the open-source products. The unpaid community that appeared around Linux took many years to develop and is the exception rather than the rule. Worse, venture capitalists don’t like the services-only model because the margins on service are invariably lower than those for proprietary software. “The venture community is committed to getting a disproportionate amount of return on its capital,” says Moore. “At some point, the company [they invest in] has to have sustainable competitive advantage.” This helps explain why open-source companies have been slower to grow than their proprietary counterparts.

Another limiting factor is that it’s next to impossible to build a business around open source in niche markets or in vertical industries. Only a small percentage of downloaders will pay for support from vendors (for example, Snort has 100,000 regular users, but only 800 have signed up for support), and developer and user communities won’t grow unless the software is used by many, many people. So big, successful open-source products have certain things in common: They are broadly applicable across many types of companies and industries, and they tend to be in areas that companies don’t believe provide a competitive advantage (such as infrastructure) because everyone—including competitors—will have access to the software source code.

Yet even if the open-source software qualifies on all these fronts, building a business around it will still be difficult unless the software is complex and is an important part of keeping the business running. In this case, CIOs, especially those in small or midsize companies with small staffs, cannot afford to go without commercial support. Indeed, support is consistently the biggest concern of CIOs on Forrester Research’s surveys, according to Goulde. “We need a vendor to take a portion of the risk if we’re going to go with any software package,” says NIH Federal Credit Union’s Drake.

And CIOs always prefer to go with a big, established vendor for support rather than a small startup. That’s why MySQL, for example, has formed partnerships with Hewlett-Packard and Dell to support its open-source database. MySQL takes a cut of the proceeds, and CIOs get the warm-and-fuzzies from knowing that a big vendor is standing behind the product, according to MySQL CEO Marten Mickos.

Yet the combination of CIOs’ nervousness about small vendors and the venture capital community’s reluctance to back open-source software means that CIOs will see more and more mixed-source sales pitches in the coming years. It pays to vet these vendors carefully (see “Your Open-Source Checklist,” Page 52).

The ROI of Trust

For his part, Roesch believes that the Snort community will survive. “Check Point needed education about why it’s important to keep it open, and they get it,” says Roesch. Part of that education was that the open-source development model creates relationships between project owners and users that cannot be duplicated in the proprietary world. “A lot of the guys buying Sourcefire software are people who started using Snort in college, and now they’re bringing it into their companies,” he says. “It’s hard to quantify the value of being able to go into a sales meeting against big vendors like Cisco and having someone [from the prospect company] ask for your autograph.”

But that relationship, based on mutual trust and forged over many years, is fragile. If Check Point were to shut down Snort and close the source, says Roesch, “you would lose the goodwill of the community overnight.

“Getting these people’s trust takes years,” he adds. “Losing it takes minutes.”