Being bought by a commercial competitor is about the best possible thing that could eventually happen to a popular, pure FOSS project. It seems contrary to the vision of free software, and yet it's true if people like Daniel Cid, founder of Open Source Security, Host-Based Intrusion Detection System (OSSEC) and HD Moore, founder of Metasploit, are to be believed. (And they would know.)
I recently interviewed Daniel Cid because OSSEC was one of the first fully free security projects ever to be acquired by a commercial entity. (Know of an earlier one? Leave me a comment and I'll write an update on that project, too). True, plenty of open source projects have been bought - but I'm talking about an acquisition of a "basement built" FOSS project with no commercial version. (It might not have been developed in a comfortable home office, or the local coffee shop.)
Daniel's got two years experience of the free-to-commercial transition under his belt, and while the sale didn't make him as rich as Larry Ellison, he does say that it was by far the best thing that could have happened to OSSEC.
When I asked Daniel if he had ever planned on launching a commercial version himself, he said, "People were asking for one, but I'm a developer, not a business man. I was comfortable coding but not as good at business. When Third Brigade offered [to buy OSSEC] that was perfect thing. I can focus on the code bank, let them focus on the business end."
Indeed, there is nothing in the OSSEC story (nor so far, in HD Moore's Metasploit story) that indicates acquisition by a commercial entity did anything but help it. Third Brigade bought OSSEC in June 2008, and then Trend Micro bought Third Brigade in August 2009. At both changes of ownership, the open source community expressed a lot of concern that OSSEC would be killed -- particularly since Trend Micro is not known to be a big supporter of open source.
And yet, not true. Prior to the Third Brigade acquisition the project had attracted 5,000 downloads per month. Today, it's at 20,000 downloads per month, Daniel says.
"People are always afraid of changes ... they don't like change, they worry about the future of the project that it will be not so open. After a while, when they see we are keeping the project open source, they are very happy it was acquired. In the last two years, we've had two big versions and three minor releases -- in that two years, a lot of things were added and we're moving faster," he says.
Consider the alternative -- if Daniel Cid said no to the money (and help) and he continued to plug away as OSSEC gained in popularity. FOSS maybe about crowdsourcing, but the bulk of the work still falls to the project lead. "Mostly I was the only one [working on OSSEC]. Some users were helping with patches, but I was the main developer doing 90% of the work. I was doing it nights and weekends," he describes.
Coding is for Daniel "a passion" he says, which means that given a choice, he'll spend his weekends coding anyway. But now, he has five other people working on the project with him (and that certainly makes his wife happier). A new version of the project was released two months after Trend Micro acquired OSSEC.
To my way of thinking without a commercial backer, a popular FOSS project is in more danger of being killed from its own popularity than from being snuffed out by a competitor that doesn't want a freebie version around.
Like Metasploit, the commercial version uses the same code base as the freeware, but, Daniel says, "OSSEC is a very command-line tool and is not that user friendly. It doesn't have the features that an enterprise wants, like a slick Web interface." So the enterprise version adds a management interface, better reports and additional features by integrating OSSEC with other security tools like a firewall. The newest version was released in April.
Stories like OSSEC and Metasploit are likely to grow more common. Sourceforge hosts about 7,000 security projects. Daniel says, "From these 7K only 10% will survive; they seem to die quickly." Security is an area of software development where both open source and proprietary options can co-exist. "I still think open source in the long term will be more secure than closed -- people catch bugs all the time." But he also sees more of the big ones being acquired, or going commercial on their own "to make some kind of money ... it's very hard to be a developer only on the weekends."
By the way, OSSEC recently hit it even bigger when the Immutable Security blog coined the term The "OSSEC Effect" OSSEC monitors so many items that system admins will field a lot of questions from the security team like "Hey, I saw this in the log, did you change something? "
This causes the OSSEC Effect. It means: The alteration of a computer user’s behavior when they know their actions are being monitored, but do not realise or understand the extent of the monitoring. Users will, without provocation, volunteer information they believe could be seen as questionable, whether the monitoring system would have known about it or not."
Now, that's success.