Open Source Software and CU’s
August 22, 2007 – 1:30 pmIn an article on TechCrunch today, the founder of WordPress, Matt Mullenweg, took some harsh words about the grey line that exists in the open source community: how to make money from it.
After BarCampBankSeattle, a small group of us have continued the discussion surrounding the core processing marketplace and opportunities that exist within that space. Primarily, if an open source core processor will work.
Some CU’s love the idea of open source; a community based development of software that is technically free to the end users, although it is not without cost. Other CU’s shy away from open source because they would much rather have a turn-key solution in which the vendor provides all of the servicing for the particular product and is on the contractual hook as well.
While some CU’s accept OSS (Open Source Software) and everything that comes along with it, would those same CU’s accept an open sourced core or any other software related to their core, online banking for example? As this Coding Horror article talks about, many open source product have scaling issues associated with them and the article uses Twitter and RoR (Ruby on Rails) as the example.
Assuming that CU’s could/would accept a major open source operating component (core, online banking, debit/credit cards, payroll processing, etc), how would the company providing the software keep the lights on and servers running? In the TechCrunch article, WordPress takes some flak for no longer allowing sponsored themes, or themes with text ad links embedded in them, in their theme directory, yet sells an anti-spam plugin to commercial and other non-personal users. One could go the MySQL/Red Hat/Sugar route and offer "Enterprise" versions of the software for a price while open sourcing the basic version.
Could a core provider offer a basic version for free but also offer an "Enterprise" version to clients willing to pay? Would CU’s even buy a core processor that is open sourced? How do you address the perceived security concerns associated with open source? As someone point out to me, the ratio of hacker-to-contributor would be much higher for an open source core than FireFox or OpenOffice for example. If you create a nasty FireFox plugin that reboots someone’s computer, woo-hoo, but if you could go download the core software that a bank or credit union is running, where would you spend your time?
9 Responses to “Open Source Software and CU’s”
Hey Robbie,
I think you mean to say “not without cost” in your third paragraph.
I really like the idea of using open source software wherever it makes sense but I just couldn’t bring myself to using for any of our core banking applications…for a lot of reasons. One of the less obvious reasons is really just to cover your ass. You’ve heard the old saying, “no one ever got fired buying IBM.” An IT Manager would have some big “splainin’” to do if things went sideways with an open source implementation of that sort. And, what about the regulators that come looking around for things like SAS 70’s from your mission critical vendors?
My approach to open source has always been to bring it in around the edges…not the core. KL
By Kirk on Aug 23, 2007
Thanks for the heads up and it is now fixed!
And the exact issues you’ve address are also some of the same I have with a fully open-sourced core. I’m not so much worried about a SAS70 because, in my limited understanding, it simply says the a company follows their own guidelines. But covering your ass is another story entirely. Many core’s “guarantee” that their software works and if something goes crazy, it is their tail on the line. With an open sourced core, that wouldn’t be the case. However that might create an opportunity for a third party company to review code and “insure” it against defect. That’s one of the nice things about OSS, it spawns many opportunities for support and addons.
By Robbie Wright on Aug 23, 2007
I can totally understand covering your tails, but let’s not get “open source” and “in house implementation” confused.
I liken it to web app hosting. I can throw linux/apache/mysql on a box and host my companies web apps from my apartment for next to nothing. We definitely do not do that.
What do we do? We pay someone else to perform the implementation of these open source solutions. You could say we are paying for bandwidth or the hardware, but really we are paying to have someone to yell at if the server goes down.
Now that may seem simplistic and beneath the “high stakes world of banking” but honestly if industry can find a way to provide this service for the “low stakes” of most web apps, how much greater will the offering be to the banking community.
I totally agree with Robbie that an Open Source Core would create a whole slew of opportunities in many areas and that implementation and monitoring would be one of the first to see action.
Just think of the potential. Right now you are paying for that “pass the buck” privilege as well as the cost of continuous code development and improvement.
Under an Open Source Core and the services that would spring up around it, for the first time, you could actually put a dollar value on the ability to blame someone else without having to also finance development of a code source!
Interested to hear more of your thoughts.
By Mark on Aug 24, 2007
Mark, what would you think about the hacker to contributor ratio? There would be much more incentive for bad people to try to find a way into the software than normal. And do you think that even if it is open source, more people will opted for the hosted/enterprise/I’m going to yell at someone else version?
By Robbie Wright on Aug 26, 2007
Robbie, great questions. Unfortunately, I very much doubt many people care what my 25 year old seat of the pants answer to those questions would be
So I propose the research and industry analysis route. Hopefully over the next few weeks I/We can carve out some time to look at the following:
* The difference of Redhat v. Fedora. These two code bases are extremely similar from my understanding, with a major difference being the “support” of redhat. Who choose which and why?
* The contributor base of Firefox. (Is there anyone out there not trying to hack the browser?) How many people do they have and how do they deal with the target on their back?
* A look at Sun and Java. I’m not exactly up to date on everything with them, but I think Sun is in the process of open sourcing Java. Has open sourcing led (or will lead) to more attacks on Java? Has it made Java less secure, all things considered?
* The role the IT security community plays in OS development. A whole industry has cropped up on the premise of finding bugs before the bad guys. (I’m not talking about reactionary measures, these companies are actively trying to find ways to exploit systems in ways no one has before…at least I think they are.) What exactly do these companies do? How do they do it? Does their presence benefit the industry?
* The current state of Core hacking, exploitation, and bug finding. How many exploits and hacks are currently attempted and successful? Who is currently policing the vendors?
Maybe none of these efforts produce anything to justify an OSC, however, my gut says once we start looking at ways Open Source currently operates, the case for an Open Source Core will seem not only feasible, but advantageous to the industry.
Anyone interested is more than welcome to take a chunk and run with it. I’m interested to see where this takes us
By Mark on Aug 27, 2007
Great points Mark. It is my understanding the right now the core’s “guarantee” the security of their software and if someone managers to hack in, they are on the hook. One of the benefits of a “black box” software however is once the would be hacker infiltrates the firewall and network, we wouldn’t know where to go or how to hack into the core. Maybe that’s why they use such old and odd technology…
And your observations of some next steps are right on. Maybe we should chat later this week…
By Robbie Wright on Aug 27, 2007
“Security by Obscurity”…anyone want to take and look into that as a valid security model? (I was always under the impression it was basically in the same tier as “hoping” you don’t get hacked.) The reality is that currently there are people with the knowledge to hack your core, though their numbers maybe small. Think disgruntled vendor employees, their hacker friends, unhappy Bank IT people, there are some of these people out there.
However you bring up another distinction that is important to keep in mind while examining this Open Source Software, the difference and relationship between “security” and “liability” of software.
They are not one in the same. In fact, from what you say about the current state of the Core is, “We don’t know how ’secure’ it is. But we really don’t care cuz we’re not ‘liable.’” Security is NOT the same as liability.
PS. I stared a page on the BarCampBankSeattle Wiki about Open Source Software Rhetoric. Trying to keep track of the distinctions we are making, I guess trying to create a resource for ‘the right way’ to address an OSC.
By Mark on Aug 27, 2007
PPS - For anyone else interested, I started a wiki a while back at http://cuemployee.com/wiki for the small group of us that are actively working on this project. Mark, I’d love if we could combine the two resource and have everything in the same place!
And I’m of the firm belief that Security by Obscurity is a joke. Having an open model could potentially make it easier to hack, but by the very nature of open source more eyes are looking at the same problem and can find and patch problems much quicker.
By Robbie Wright on Aug 27, 2007
Better a diamond with a flaw than a pebble without. — Chinese proverb
By Cymbeline Dymoke on Sep 7, 2007