What is Free Software?
Free in “Free Software” does not refer to the price of the product nor does it refer to the “Non-commercial” software’s. It refers to the freedom that the user has, to copy, use or re-distribute the software. Free software can be used in commercial distributions too.
The user is free to redistribute copies with or without modifications. The user can also charge a fee for the redistribution based on the license being used for the redistributed copies. For the user to have this freedom, access to the source code of the software must be provided to the user.
What is Open Source Software?
Open source software refers to software’s that are available in source code form, these are generally developed by tens of thousands of active programmers spread across the globe.
Open Source Software must comply with the following criteria.
- Free redistribution
- Available in Source code
- Must allow modifications
- Maintain the integrity of the author’s source code
- No discriminations against group/people/fields
- No additional license should be required
- License should not restrict other software or be specific to the product.
- License must be technology neutral
Need for FOSS
Most of the software development companies use proprietary solutions to develop their software. This development cycle could be iterative, and only a small team would be involved. Developer chooses to use FOSS products, so that they need not re-invent the control.
Using FOSS products improves the development team’s productivity. Reduces cost, and also supports rapid evolution of software. While this is a welcome move, a development team should also be wary of the risks associated with usage of such frameworks.
Using Software one did not build introduces new levels of security risks, integration and inter-operability issues.
Factors impacting the choice of FOSS product
Before deciding to use a FOSS product, the user must consider the following points:
- Which technical/business functionality is going to be achieved by using FOSS product?
- Which product provides this feature?
- What are the additional features that can be provided by the product that will be useful to the project needs?
- Is the product really “Free “to use?
- Are there better products that provide additional features?
- What license does the FOSS products to use?
- Are there any known security vulnerabilities in the product?
The license obligations & security vulnerabilities have to be carefully studied before deciding on the FOSS product.
License obligations impacting the choice of FOSS product
The license for the free software is permanent and irrevocable. The license should permit release modified versions of the software as free software. Restrictions added during redistributions should not impact the central freedom.
Example: GNU General Public License, Apache License.
Categories of Licenses
- Copy left licenses: copyleft is general method for making a program/work free and requiring all modified and extended versions of the program to be free as well.
- Public Domain License: Lack copyright protection. Can be freely incorporated.
- Permissive License: These are Copy – free license. Meaning there are no restrictions on modifications and redistributions. Authors require proper attribution of modified works.
Sample License parameter to validate
Sample Security Guidelines to Evaluate
- Security vulnerability (Eg: SQL injection, Cross Site Scripting etc) in FOSS products rarely looked into, before deciding the product. Vulnerabilities are reported across the various forums & the developer fix them in subsequent release. A decision on the product and the version to be used can be made after a thorough study report the product in the vulnerability database, various security related forums and mailing lists.
- The user must first run a basic anti virus scan on the product to know if it is safe to install and use that product. Once the anti virus check is complete, the user must check for vulnerabilities in the product.
- Refers some of the common database that are used for lookup are the National Vulnerability Database(NVD) and the Open Source Vulnerability Database(OSVDB), etc.
Authored by Ranjani Jeyapal