The future of open source is not Linus Torvalds. It\u2019s Marty Roesch.In 1998, Roesch, then 28 and an engineer at telecom company GTE-I, created an open-source program called Snort for detecting intrusions into computer networks. Today, he sheepishly acknowledges that he\u2019s a multimillionaire, having sold Sourcefire, the company he created to sell add-ons to Snort, for $225 million to security software leader Check Point. (The deal is expected to be finalized before the end of the first quarter 2006.)Roesch\u2019s road to riches\u2014using the Internet to distribute open-source software for free and selling proprietary (closed-source) pieces that enhance the free stuff\u2014is emerging as the most popular new business model in the software industry, according to venture capitalists. Call it the mixed-source model. On the surface, it would seem to offer the best of both worlds: CIOs get free software, and the companies developing the code get e-mail addresses from downloaders, so they can try to sell them proprietary add-ons. Venture capitalists love this model because they can invest their money in software that can be sold rather than in big sales staffs or expensive marketing and branding campaigns. But in the rush to monetize the open-source model, these startups could be on a collision course with the communities that spawned them. When a venture-backed company builds both open-source and proprietary software under the same roof, it invites a showdown between the people contributing the free stuff (the open-source community) and the company looking for competitive advantage from the proprietary stuff. "It\u2019s an inherent conflict of interest," says Jo Tango, general partner at Highland Capital Partners, a venture capital company. "Whose additions to the software get approved? And how are those additions prioritized? Is it for the open-source product or the for-profit stuff?"And that could lead to situations in which CIOs are seduced into using what seems to be free technology only to find they must pay to make it work down the road, says Michael Goulde, senior analyst for Forrester Research. Adds Tango: "This model has been around for years. It\u2019s called a trial version." Proprietary software companies have been giving away trial versions of their software for years. But the code is closed, and the free versions are lesser versions of what you\u2019d get if you paid full price. "That\u2019s no different from what these so-called open-source firms are doing with their community [open source] and enterprise [proprietary] editions of their software," says Barry Strasnick, CIO of CitiStreet, a benefits management company.In other words, the free stuff becomes nothing more than a come-on. Adds Lee Hughes, CIO of Owens Forest Products, "My fear is that if a company has a free open-source version and a commercial version with enhanced features, the free version [may suffer] down the line." Why the Model MattersStrasnick and Hughes wouldn\u2019t be so concerned if open-source software were still a casual plaything for their developers trying to save money on a few Web servers. But open source has become a vital part of the CIO\u2019s software acquisition strategy\u2014especially when it comes to infrastructure software. Research company Gartner predicts that by 2010, Global 2000 IT organizations will see open source as a viable option for 80 percent of their infrastructure software investments. CIOs can\u2019t afford to treat open source as a throwaway, and they can\u2019t afford to do without support for the open source that becomes a vital component of their infrastructures.But shopping for open-source software is a very different animal from the traditional software acquisition process. The company you\u2019re buying from is a community, the references you\u2019re checking when you\u2019re doing your due diligence are postings on a bulletin board, and the developers posting them may not even be employed. Conventional wisdom says you don\u2019t want to see how your breakfast sausage is made, but CIOs are going to have to peek into the kitchen before committing themselves to an open-source diet. There are many different business models emerging besides mixed source (see "Your Guide to Open-Source Business Models" on Page 50), so CIOs will have to cast a careful eye on these companies and communities to predict whether they will still be around in a year or two. This is now critical business research for CIOs. It\u2019s every bit as important as tracking Microsoft\u2019s or Oracle\u2019s stock price, acquisition strategies and upgrade announcements.The Money GameRoesch bristles when you bring up the fears CIOs have about "crippled" open source. He\u2019s got a right to be touchy. Eight years ago, he single-handedly developed the core of Snort. Since then, he estimates that he has written 3,000 postings to the Snort discussion list and carefully built a large community of users (more than 2 million downloads and 100,000 active users, he says). In return, he got what every open-source developer craves: respect, recognition and the occasional free beer from grateful users at technology conferences. Roesch got everything except money. And that was OK. For a while."I was never motivated by financial gain," recalls Roesch. "It just ended up that way. People don\u2019t develop open source for monetary gain. You develop it for reputational gain." Roesch could have used his reputation to land a high-paying job at a software company, but he liked working on Snort. So in 2001 he began courting venture capitalists to see if they would back his plans to start a company to support Snort. When he made the rounds, he says, there were no takers. "They wouldn\u2019t go near it unless we had some [proprietary] intellectual content wrapped around Snort," Roesch says.Once he developed some proprietary management tools and a friendly GUI to run on top of Snort, Roesch got his money. And he\u2019s never looked back, partly, he argues, because he has no choice. Snort competes against software from well-known, well-funded companies such as Cisco, and "if you\u2019re going into a highly competitive area of software, as we did, you have to take venture capital," he says, adding that others have built proprietary tools around Snort. "You\u2019re going to have people who are going to try to ride on your coattails," Roesch says.So far, according to Roesch, no one in the Snort community has held his financial success against him. "I like writing code," says Glenn Mansfield Keeni, a professional developer who contributes to Snort in his spare time. "I derive great satisfaction by contributing towards building a secure Internet. The code remains open source so there is no bitterness or feeling of being let down. If the commercial framework helps Snort take greater strides forward, that\u2019s welcome."But others in the community wanted to guarantee that Snort would remain open. They formed a group in 2003 called Bleeding Snort to provide open-source intrusion-detection rules and definitions for Snort (similar to the virus definition files you download for your antivirus program). It was a prescient move. Sourcefire now makes its updates available to its paying customers first; others have to wait five days. And unlike Bleeding Snort\u2019s updates, Sourcefire\u2019s are no longer released under an open-source license. Companies that have built proprietary software on top of Snort (Sourcefire is not the only one) have to pay a fee to Sourcefire to get those updates now. But Bleeding Snort often beats Sourcefire to the punch with new rules, says Alan Shimel, chief strategy officer for StillSecure, a security software company that uses the Snort engine as part of its proprietary software. Shimel obviously has a vested interest in keeping the Snort engine open source, but he says "there were a lot of people in the Snort community who weren\u2019t happy when [Roesch] formed Sourcefire. I\u2019ve spoken to people inside Check Point who say they intend to keep Snort open, but as they say, the road to hell is littered with good intentions."For its part, Check Point\u2019s website states that it is "committed to the Snort open-source community, and we look forward to growing the Snort solution and the Snort community in the future."But the fact is, not all open-source security software has remained open. A software package called Nessus was initially released under an open-source license in 1998, but the latest version (3.0) has been released under a commercial license (earlier versions remain available as open source)\u2014though it is still free to users. Nessus\u2019s original developer, Renaud Deraison, who, like Roesch, has started a company (Tenable Network Security), says his commercial customers pressured him to close the source. "Many of them had prohibitions against [open-source] software or had to jump through legal hoops to get permission for it," he says. "What they want is quality, free software. The license is less important." Though Nessus\u2019s shift has brought criticism from some open-source advocates on discussion websites like Slashdot.org, Nessus usage seems not to be affected\u2014at least not yet.Meanwhile, CIOs\u2014who are constitutionally skeptical of vendor promises\u2014are worried about Check Point\u2019s purchase of Snort. "It\u2019s definitely a concern," says Kirk Drake, vice president of technology for the National Institutes of Health Federal Credit Union, which uses Snort and Sourcefire\u2019s add-ons. "But it\u2019s no different from what we\u2019ve seen before. We buy a good product, and it gets bought by another company and the product can change. And the pricing changes."According to Roesch, those who see mixed source as a Trojan horse for an inevitable march back to proprietary software are underestimating the power of the open-source community. "Check Point got one of the most tested and deployed code bases in the world, and if they manage it carefully they\u2019ve got the community too," says Roesch. "I would argue that the goodwill generated by Snort among users and developers probably outweighs the value of [the proprietary software], and I think Check Point believes that as well." In other words, continuing to support an open Snort will cost Check Point less than alienating the community by closing the source.The Trojan Horse ScenarioNo one in the open-source community faults Roesch or Check Point for making money from open-source software. After all, "free as in free speech, not free beer" is the mantra of Richard Stallman, the father of the free software movement (now more widely known as open source). But the open-source community, though far from monolithic, can agree on one thing: No one likes companies that would try to use open source as a Trojan horse for fee-based proprietary software.At some point in the near future, companies without a sufficient understanding of what makes the open-source community tick are going to test the limits of mixed source, predicts Geoffrey Moore, managing director of TCG Advisors, a consultancy. "I think there is a potential for backlash from the open-source community against companies that do not play according to the aspirations or ethics of that community," says Moore. Fallout from this kind of uprising could put a big hurt on a CIO\u2019s infrastructure. For example, open-source projects could be left for dead by their communities, with no one left to support them. Then there\u2019s "forking," in which the open-source code base is used to start a new project that is incompatible with the original version. Finally, there\u2019s the doomsday scenario: malicious hacking of a formerly open-source code base. CIOs are concerned about getting caught in the middle of this fragile relationship\u2014especially if their software provider goes under. "If I have some proprietary software, I have to worry about disrupting my infrastructure if I need to take it out and then find a replacement for it," says Strasnick. But if the code is open, as is the case with Strasnick\u2019s JBoss middleware system, users can take the code with them to another provider if the relationship sours."If JBoss decides to stop supporting my software," says Strasnick, "I will have the source code, and I can simply go find someone else to support it."Why VCs Don\u2019t Like What CIOs WantCIOs prefer the open-source business model that Roesch couldn\u2019t sell to potential investors: a services model in which the company sells support for a single, open-source code base. "I like the services model because all my money goes into implementation and support," says Strasnick. A few well-known open-source companies, such as Red Hat (Linux), JBoss (middleware) and MySQL (database), are built around this model. But because the software code base is open to anyone, barriers to entry for competitors are low. These companies have to be extremely lean and mean to go up against comparable proprietary software companies. "CIOs expect to pay less for open source," says Forrester\u2019s Goulde. "It has to provide 30 to 50 percent savings." That would seem easy when the software is free, but the software usually isn\u2019t free for the companies that support it; many must provide their own employees to lead, manage and code the open-source products. The unpaid community that appeared around Linux took many years to develop and is the exception rather than the rule. Worse, venture capitalists don\u2019t like the services-only model because the margins on service are invariably lower than those for proprietary software. "The venture community is committed to getting a disproportionate amount of return on its capital," says Moore. "At some point, the company [they invest in] has to have sustainable competitive advantage." This helps explain why open-source companies have been slower to grow than their proprietary counterparts.Another limiting factor is that it\u2019s next to impossible to build a business around open source in niche markets or in vertical industries. Only a small percentage of downloaders will pay for support from vendors (for example, Snort has 100,000 regular users, but only 800 have signed up for support), and developer and user communities won\u2019t grow unless the software is used by many, many people. So big, successful open-source products have certain things in common: They are broadly applicable across many types of companies and industries, and they tend to be in areas that companies don\u2019t believe provide a competitive advantage (such as infrastructure) because everyone\u2014including competitors\u2014will have access to the software source code.Yet even if the open-source software qualifies on all these fronts, building a business around it will still be difficult unless the software is complex and is an important part of keeping the business running. In this case, CIOs, especially those in small or midsize companies with small staffs, cannot afford to go without commercial support. Indeed, support is consistently the biggest concern of CIOs on Forrester Research\u2019s surveys, according to Goulde. "We need a vendor to take a portion of the risk if we\u2019re going to go with any software package," says NIH Federal Credit Union\u2019s Drake.And CIOs always prefer to go with a big, established vendor for support rather than a small startup. That\u2019s why MySQL, for example, has formed partnerships with Hewlett-Packard and Dell to support its open-source database. MySQL takes a cut of the proceeds, and CIOs get the warm-and-fuzzies from knowing that a big vendor is standing behind the product, according to MySQL CEO Marten Mickos. Yet the combination of CIOs\u2019 nervousness about small vendors and the venture capital community\u2019s reluctance to back open-source software means that CIOs will see more and more mixed-source sales pitches in the coming years. It pays to vet these vendors carefully (see "Your Open-Source Checklist," Page 52). The ROI of TrustFor his part, Roesch believes that the Snort community will survive. "Check Point needed education about why it\u2019s important to keep it open, and they get it," says Roesch. Part of that education was that the open-source development model creates relationships between project owners and users that cannot be duplicated in the proprietary world. "A lot of the guys buying Sourcefire software are people who started using Snort in college, and now they\u2019re bringing it into their companies," he says. "It\u2019s hard to quantify the value of being able to go into a sales meeting against big vendors like Cisco and having someone [from the prospect company] ask for your autograph." But that relationship, based on mutual trust and forged over many years, is fragile. If Check Point were to shut down Snort and close the source, says Roesch, "you would lose the goodwill of the community overnight."Getting these people\u2019s trust takes years," he adds. "Losing it takes minutes."