5 Key Considerations When Using Open-Source Technology to Launch Enterprise Solutions

Key Takeaways

• Although you may think of open-source technology as more cost-efficient or even “free software,” you need to take into account security, compliance, operational resilience, and legal protection when leveraging this technology for enterprise solutions. 

• Deciding whether to use open-source technology, with or without enterprise-grade services, will depend on the specific facts and circumstances you’re facing. Whether your organization is smaller and lacks resources to manage open-source and community-developed technologies or your organization is mature and you want to save costs and scale growth with open source, there may be strategic advantages to pairing the technology with a commercial service provider. This blog explains five reasons why.

• For example, using Liferay DXP with Liferay Enterprise Subscription Services provides customers with exclusive support, security, compliance and legal protection, and additional features compared with the unsubscribed use of Liferay Portal code downloaded from our public repositories.

Open-source technology can provide incredible benefits when used to build enterprise solutions — including cost-savings, increased agility and flexibility, and access to a community of developers who also use that same software.

What is Open Source? 

Open-source software is software that has publicly available source code and includes a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. Although the roots of open-source software go all the way back to the 1950s, the movement really started gaining steam in the late 1990s and continues to impact software development for enterprise solutions today. 

Enterprise solutions require careful planning and execution, however, especially around security, compliance, operational resilience, and functionality. In this blog, we’ll go through a list of five key considerations  before leveraging open-source software to launch your enterprise solutions.

5 Key Considerations Before Using Open-Source Technology for Enterprise Solutions 

Although open-source software can usually be downloaded for free without upfront or recurring licenses fees, there are several obligations, risks, and associated costs you should understand when using open-source software, especially to build enterprise solutions. 

1. Vulnerability Concerns 

For business-critical solutions, security is paramount, especially if your business operates with customer data or other sensitive information. 

Due to the public nature of open-source technology, a wider audience is able to review and contribute to security improvements. More eyes means that potential vulnerabilities can be identified and addressed more quickly. 

But although publicly available code allows for community review, the same transparency also allows cybercriminals to identify and exploit any weaknesses in the code. Potentially, these malicious actors could contribute to open-source projects with the intention to introduce vulnerabilities or harmful code. 

Additionally, it’s common for teams to incorporate open-source software or components in their applications, and then never update the code. If these teams don’t update the code when updates are made available, security vulnerabilities may go unaddressed. 

According to Synopsys’s 2024 Open Source Security and Risk Analysis report, which consolidated findings from more than 1,000 commercial codebases across 17 industries in 2023, 96% of the total codebases contained open source and 84% of codebases assessed for risk contained vulnerabilities.

Another study conducted by Veracode also found that 79% of the time developers had not updated the code after including it in an application. Further, at least one security flaw was found in the majority of their repositories. Organizations frequently fail to track where open-source code has been used and are completely unaware of any components that need updating.

With the example above, the teams that decide to implement the open-source software need to be responsible for updating it to ensure that the code is secure. Although the original vendor may be scanning and testing regularly to ensure the security of their code, it’s still up to the individual teams and users to update and maintain the code they use. 

2. Meeting Compliance Requirements 

If your business operates in specific regions or in a highly regulated industry, it’s critical that the software and technology you use adheres to the laws and policies enacted by the relevant governing bodies. 

External compliance refers to the regulations and standards imposed on organizations by external sources to ensure the security, privacy, and safety of users. Some of these include: 

• SOC 2, which assesses the security triad, including availability, processing integrity, and confidentiality of a service provider’s systems and processes.

• ISO/IEC 27001, which is the international standard for information security management systems.

• GDPR, which focuses on protecting the personal data of individuals in the EU. Other regional protection laws include LGPD in Brazil and CCPA in California. 

• Digital Operational Resilience Act (DORA), which focuses on the digital resilience of financial entities in the EU.

• Cyber Resilience Act (CRA), which focuses on cyber resilience through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates.

But in the end, the one that has to bear the obligation of accountability in meeting these regulations isn’t the vendor, but the individual user organizations. So if you use open-source technology for your applications, you need to perform regular audits of practices and policies relating to corporate information security, open-source compliance, privacy, and data protection, just to name a few.

3. Open-Source Obligations 

Free and Open Source Software (FOSS) compliance requires users of FOSS to observe all copyright notices and satisfy all the open-source software license obligations for the FOSS they use in commercial products. This requires work beyond just implementing the lines of code and may include one or more of the following: 

• Documenting the used open-source components for audits or requests from customers.

• Managing a repository where people can download the source code. 

• Maintaining relevant copyright and licensing information.

• Creating a user interface that displays the open-source components used. 

• Evaluating license compatibility of components that are under different licenses.

This usually requires open-source policies and training for developers, along with the use of software-scanning products that can identify open-source code that may not comply with the policies and guidelines you need to follow. 

Failing to do this work completely and accurately and non-compliance with the terms of the applicable open-source licenses can lead to legal consequences, monetary loss, maintenance challenges, and loss of goodwill. 

Additionally, organizations are expected to create a software bill of materials (SBOM). The foundation of the global software supply chain is the SBOM standard. This is foundational because it acts as an inventory and records the components and dependencies used to produce the application an end user would consume. 

Given the increased risk and security implications, SBOMs are becoming more ubiquitous. This trend is underlined by recent regulatory changes, including the Cyber Resilience Act in the EU and the US Presidential Executive Order 14028. 

However, producing SBOMs requires investments in scanning tools or services. SBOM production is also extremely labor intensive, as it needs to include all vital data about software components and all dependencies required for the component or library to work properly including all patches or updates. 

4. Legal Checks and Protection 

Implementing legal checks and risk assessments when introducing a new open-source technology or when the open-source licensing terms have changed is on the individual teams and users implementing the software.

In the case of noncompliance with an open-source license or an alleged third-party IP violation, the team that has implemented the open-source technology will ultimately be responsible for handling any legal claims or license fees. Open-source licenses typically do not include indemnification or other remedies in this situation, so teams will instead need a competent lawyer or other legal help to protect their business and settle the claims at their own cost.

5. Operational Resilience 

The availability of a business-critical solution is just that—critical. Every second your enterprise solutions are down can contribute to lost revenue, lost or compromised data, and reputational damage, including the erosion of customer trust. 

Ensuring a solution’s availability and performance, for example by scaling the solution and performing backups, is the responsibility of the team that implements the technology. Doing so internally, however, can be very cost- and resource-intensive.

Additionally, if you use open-source software without commercial support, your options are typically limited to community-based support that doesn’t offer any dedicated support or Support Level Agreements (SLAs)s, requiring more in-house expertise and resources if issues or downtime does occur. 

Open-Source Software With or Without a Commercial Offering? 

Given these five key considerations, you may be wondering if using open-source software can actually drive down your total cost of ownership (TCO) if you need to factor in security, compliance, operational resilience, and more. 

Thousands of companies around the world have benefited from the strength and flexibility of Liferay open-source technology, called Liferay Portal, when building and launching digital experiences like websites, intranets, customer portals, and more.

All five considerations mentioned above still come into play; these users have to set aside resources to run, support, and secure their solutions. For example, if a company uses Liferay technology to build their website without the benefits of a Liferay Enterprise Subscription, their in-house team or a third-party implementer is solely responsible for hosting the solution, troubleshooting performance issues, maintaining the site, ensuring its operational resilience and scalability, securing the site, and backing up and restoring the site if it goes down. 

If you’re looking for options to offload those tasks, our commercial subscription services offerings can help lower your total cost of ownership with expert-level support to achieve business value faster, including dedicated support team and product experts. 

Liferay’s Enterprise Subscriptions give you the best of both worlds — a subscription allows you to maintain the key value propositions of open-source software while mitigating the associated risks. This way, you can use open-source technology in an enterprise-ready and cost-efficient manner for mission-critical use cases. Additionally, Liferay’s Enterprise Subscription provides exclusive features around performance, commerce, analytics, and security. As a vendor, we’re able to help our customers ensure regulatory compliance in accordance with best practices and industry standards. 

And by allowing customers to choose between on premise, PaaS, and SaaS deployment models Liferay offers flexibility to choose the right balance between total control over data and full customizability on one hand, and the ability to outsource the burden of maintaining, securing, and supporting the underlying infrastructure or even the solution itself on the other hand. You can make this decision based on your specific risk profile, business needs, and preferences—and even do so on a project-specific basis. 

Choosing What Works Best for Your Business to Launch Enterprise Solutions 

Although there are many benefits of using open-source technology, license fees and other commercial pricing are not the only factors to take into account. It’s crucial to evaluate the cost and resources needed to manage and support the solution in the long-run. 

For many organizations, using open-source technology with the backing of enterprise-grade services such as Liferay’s Enterprise Subscriptions can give them peace of mind knowing that an expert team can help manage security, compliance, open-source obligations, and more. This assurance also includes lower total cost of ownership, greater operational security, increased business continuity, higher agility, and faster speed to market compared to those using open-source technology without a commercial offering. 

Want to learn more about how Liferay can help you accelerate compliance and protect your operations? Download this whitepaper to learn more.