Stopping community heroes from becoming victims of their own success
In 1750, Benjamin Franklin composed a letter describing his experiments and sent it to a member of the Royal Society in London with the phrase, “I have already made this paper too long, for which I must crave pardon, not having now time to make it shorter.” Short articles take a long time to think about and a long time to write, and then if you are me, even longer to rewrite over and over again. This relatively short article took me forever.
My articles are also usually opinion pieces but this one is different, it's a discussion piece. That's because I don't know if what I am presenting is a good idea or not, so I am hoping this stimulates a healthy discussion and I will be able to form a conclusive opinion, for or against.
In recent months, I have continued to be reminded about the fragility and inequity in the open source software model, something that is clearly not new. I think it's a fact of life, maybe it's Darwins theory of evolution playing out in the software world, but I think it's sad all the same, and shouldn't be this way.
Two weeks ago I cosigned an open letter to the OWASP board of directors calling for change. The letter was the result of boiling frog syndrome and co-signed by leaders from a lot of the OWASP flagship projects, its most mature, and what is generally accepted its most successful projects. The summary was that the letter called for a strategic plan, a change in governance to attract a wider range of corporate participants and sponsors, a focus on the needs of flagship projects, better central infrastructure and most important, increased funding. It was well received by many people I respect and after initial publication, co-signed by far more people than we expected.
Some community discussions after that open letter, have rightly pointed out that while they appreciate the needs of the flagship projects, the proposed model may disenfranchise and discourage projects that are starting out, or that always intend to be part-time best efforts projects. Some of those projects bloom into the flagship projects of tomorrow and no one wants to unintentionally disenfranchise or discourage a grassroots community and innovation, certainly not me. Put another way, in creating that proposed model to address the needs of flagship projects, some of the magic of OWASP may be inadvertently killed. Johns Stevens excellent LinkedIn post does a great job of highlighting this.
Many successful open-source security projects seem to go through a cycle over many years, starting off as personal passion projects before becoming incredibly popular, but then, all too often, fade away. A tipping point occurs where the project heroes, incredibly hard working, dedicated and passionate individuals, usually conclude that it has become a one-sided relationship with lots of people making money from their work, and that community accolades are no longer enough to justify the sacrifices they make. They may well be victims of their own success, but I think they are victims nonetheless, usually victims of greedy corporations.
It's at this point where those teams often look to established open-source models that will enable them to continue their work and restore the balance.
Barring philanthropy, some teams create open-core companies where they build extended features on top of the core open-source code and sell it like any other commercial open-core product. In an ideal world all of the companies using the open-source core are motivated to play nicely and ensure that it's properly resourced, but in security tools land I don't see it happening. I have been in too many investor meetings where the phrases ‘don’t enable competitors’ and ‘how do we get an unfair advantage’ are used and I totally get it. It's business and I am a giant unapologetic capitalist, although for the record one that believes strongly in social welfare.
If we take OWASP Zap as an example, Mozilla paid Simon to work on it as his job, then StackHawk paid Simon to work on it as his job and now Jit pays Simon to work on it as his job. Chapeu to those three companies, you are truly awesome and I think anyone who wants to move from the open-source version of Zap should absolutely buy their commercial versions over any others, the fact is there are hundreds, if not thousands of security consulting companies using it as the core of their commercial consulting and several security tools vendors that we know about who have embedded it in their platforms and none of them pay any meaningful amount back to the project. Sure, a number make small donations to the project but some of the companies that have embedded Zap into their services or products are making tens of millions of dollars a year and small donations are neither meaningful or equitable.
My belief is that the commercial open-core model tends to work when one or two companies truly rely on the core and are committed to step up to the plate. It's Intel and Redhat in the Linux Kernel world, Microsoft in the NodeJs world etc.
If open-source teams don’t want to create open-core software businesses, some create professional services or support models, offering paid work around the core open-source code. Others, especially Java Script frameworks and web applications, offer commercial hosting. There are loads of other models from dual licensing, relicensing, and even delaying the release of the open-source itself but one challenge with this for many community driven open-source projects is that they just don’t want to be commercial companies. Doing services or support is an inevitable distraction from developing open-source software and not not what they signed up for but a lot less hassle than having to deal with investors and legal and sales people.
So just how do you break the conundrum of successful open-source projects wanting the resources to operate like commercial development teams, without having to do a lot of heavy commercial lifting to support it?
I am not going to pretend I have a magic wand or a magic answer because I clearly don't, but the other day I was listening to the Cycling Podcast and the interview with Jens Haugland, the CEO of the Norwegian energy company and general manager of the Uno-X pro cycling team, when I made an observation and had an idea.
What if community open-source security projects adopted a version of the sports advertising model?
When I ran MSDN subscriptions at Microsoft in the late 00’s I had a healthy advertising business on the side, because I had a highly targeted captive audience. When people were downloading the .iso file for Windows, they were a very specific user profile and staring at the screen for a very long time. That's pure gold for advertisers and my advertising unit economics were off the charts. Off the fucking charts. A lot of people push back on advertising, because online it's usually about invading privacy to better target users but with things like Zap which has 500,000 plus downloads a month you already know It's all security people, all the time and that's pure advertising gold. You don't need to profile people's behavior to build a financial model that could be significant. .
When you look at models like Uno-X sponsoring a professional cycling team, it means I can enjoy competitive cycling for free. When you look at Crowdstrike sponsoring the McLaren Formula One team, it means I can watch them being whipped by RedBull racing for free. It seems to me that sports advertising is a business model that is so intrinsic to society, that I struggle to see why it should be shunned by open-source projects as a viable source of funding.
As well as the privacy argument, another argument against advertising is that it will be abused and you will get porn hub ads (didn’t link that) on your site or in your software or a bunch of competitors trying to be clever. The sports industry largely solves this with carefully chosen partners that for the most part share the same core values as the team or are at least net neutral. You don't get one bike brand advertising on a team that rides a different bike, you have a high degree of control. Advertising partners are also chosen for a relatively long period of time such as an entire season, providing a higher degree of stability to the team and sending a message of long term financial commitment to the fans.
If we think about application security projects like Zap with 500,000 downloads a month then the pool of potential sponsors is big. Its security consulting companies (the same ones that use it for free today), its MSSPs (the same ones that use it for free today), its cloud providers, its developer tools, its people recruiting and more. Most appsec engineers are young, and who knows, it may even be interesting to things like gaming companies.
If handled thoughtfully and sympathetically, adverts could appear on the projects website, discussion lists, in the CLI or even in reports. I would personally have zero issues with a tasteful advert for AWS in a security report. If I were running E&Y security consulting and PWC security consulting were getting their logo in front of every appsec consultant, I would pay a lot of coin to avoid that, and make sure I promote my team next season.
I am aware not everyone wants to play in the big league. I am happy racing amateur bike races and am self-coached. Even if I was capable, and I am not, I wouldn't race at an elite level but maybe, just maybe, advertising done right is a legitimate model that could be the primary source of funding for open-source security tools that do want to play in the big leagues.