Insights & Analysis

Why we need to have an open discussion about open source technology

15th July, 2024|Scott Sobolewski, Co-Head-Quantitative Services at Acadia

Derivatives

By Scott Sobolewski, Co-Head-Quantitative Services at Acadia

By Scott Sobolewski, Co-Head - Quantitative Services, Acadia

Users of Red Hat’s Linux will know that open source technology has been around for quite some time, as far back as the 1950s in fact. Despite the growing acceptance and positive culture shift towards the use of open source technology over the last decade, there remains underlying misconceptions around its security and quality, especially for enterprise or commercial use cases.

If individuals and businesses want to unlock the full potential of open source technology, there should be a common understanding of any potential deficiencies relative to comparable vendor software or alternative in-house/proprietary software, addressing any areas for improvement. This should allow firms across the globe, in any industry, to better evaluate how open source technology could enhance their own operations and whether open source solutions are finally worth exploring.

Industry challenges – security and dedicated support

By definition, open source software is available free of charge and often without dedicated support, which has led some to question both its security and quality. “If the software is so good, why are you giving it away for free?” is often a critique we hear from clients. Another is that open source software is riddled with bugs, viruses or other dependencies that may be harmful to local users.

Most industries have already solved these problems, as we observe continued adoption of automated software screening procedures, by both open source publishers and users, to identify any underlying open source components (even within vendor software) and detect any security vulnerabilities, compliance issues, or code-quality risks. These scans are focused on mitigating IT compliance and other security risks such as accidentally embedding malicious elements from or within open source software and other unforeseen dependencies.

Black Duck by Synopsys is one such example, and we observe first-hand that these monitoring proceeds are already industry-wide best practice at most large organisations. For example, as part of LSEG, Acadia is required by company policy to conduct a Black Duck scan for its Open Source Risk Engine (ORE) – an open source pricing and risk analysis for financial derivatives – before we publish quarterly software releases out to our user network.

Another tack that open source users have pursued, is to embed an additional layer of security protocol in the way they access or “pull” from open source repositories like Git. Especially relevant for highly regulated industries, or those with especially strict cybersecurity protocols, the Git Proxy Project (co-sponsored by FINOS, Citi and RBC) is one such example used across financial institutions as an intermediary layer between institutions and the open source Git repositories used by their internal software development teams. Git Proxy strives to ensure that all operations meet common security measures and broader compliance requirements while also streamlining workflow efficiency. This additional security layer can increase users’ comfort in accessing and using open source technology.

Further, dedicated software support is often essential for enterprise users with critical software dependencies and client-facing service level agreements (SLAs), to ensure that when something breaks or inevitable bugs occur, there are timely fixes deployed within committed timeframes by knowledgeable resources. While most believe that vendor software or in-house solutions are the only offerings that bring dedicated support, open source software can be “purchased” by way of lower-cost SLAs. Even when SLAs are sold alongside open source software, or scoped for more substantial support, the economic savings can be vast relative to building and maintaining proprietary in-house software or purchasing expensive software licenses from vendors (often with additional support fees tacked on). This is particularly beneficial for smaller firms who need competitive and robust systems at lower cost.

“Ownership” of technology solutions

Firms may have reservations about just how “open” open source technology is, opting for in-house solutions in the belief that these are the only systems that a firm can truly own and understand. While this may seem sensible in the short term, “key man risk” remains an issue. Individuals or small teams are often tasked with leading and building proprietary software solutions, which are inherently complex; those individuals inevitably leave and go on to do similar things at other firms, and the institution is left with a pile of code and limited internal resources who have to maintain and improve the codebase. Not only does this pose an inherent risk as organisational structures change, but it also means that a firm itself never truly “owns” the software i.e. it was always, from the outset, owned by a select group of key individuals at the firm.

The community-driven nature of open source software means that while it’s free to access, numerous firms and a wider group of individuals across the globe can modify and customise it according to their needs, limited only by their expertise and creativity, and often contribute back their improvements and extensions to the project. While some firms may always want a simple, standardised, out-of-the-box solution, open source solutions shouldn’t be written off so quickly. Users have even turned to understanding certain lines of code successfully with programs like ChatGPT, which is not always possible with licensed vendor solutions, especially when the source code is not exposed to the user. Equally, even if you’re not using all of the end-to-end functionalities available in a given open source project, firms can pick up relevant elements that work best for them as a starting point, without needing to reinvent the wheel.

Unlocking the industry’s potential

In an increasingly competitive market, and current era of persistently high interest rates, firms of all sizes are having to make challenging decisions about where to best invest their resources. Whether large-scale investment banks or start-up technology firms, the use of open source technology has the potential to level the playing field as it’s often orders of magnitude less expensive to own and maintain than comparable solutions, allowing firms the flexibility to make systems as simple or sophisticated as necessary. The average annual software license fee can range from hundreds of thousands to tens of millions of dollars from larger providers. Similar functionality afforded by open source software could satisfy many of these requirements at no cost, especially as adoption and contributions to open source projects continues to expand.

The increasing cost pressures and market competition faced by firms is only compounded by the greater level of scrutiny from regulators ensuring that firms remain compliant. Regulatory compliance often comes at very high costs to firms, and regulators are increasingly requiring greater transparency and evidence of such compliance, especially in industries like financial services. Regulatory compliance should always be a baseline expectation of every firm in every industry, and shouldn’t be a competitive advantage reserved only for the largest firms willing to invest the most money into their software infrastructure. Open source technology allows both users and regulators alike, when necessary, the ability to inspect “under the hood” of the software used to demonstrate regulatory compliance at the code-level, meaning firms can readily and more easily communicate with regulators in an effort to demonstrate regulatory compliance.

How do we reach that north star?

If we are to unlock the true potential of open source technology, especially as a means to level the playing field and democratise software development/maintenance at firms of all sizes, we need to be clear and showcase who will benefit the most from such solutions.

For a select group of firms with adequate budgets and resources, proprietary in-house solutions may be suitable. However, for the vast majority of firms, senior management and software development teams need to assess whether current legacy solutions, which are often clunky and expensive, are as cost effective and productive as they should be.

While some may still be sceptical about the potential of open source technology, they run the risk of missing the communal benefits generated by this open culture. By its very open nature, people from around the world will continue working to improve open source projects and endeavour to share those benefits and innovations with the wider community. Open source technology allows individuals and firms to work towards an elevated baseline standard, a “north star”, of software quality, performance, and cost efficiency.