A Tough Decision About Our CMS (Updated)
Update: Mark brought up some interesting points in his comment (see below), and while the overarching message of this post still stands, I didn’t intend to discourage the use of open source software throughout a credit union. Mark and I will be discussing this issue tomorrow (Friday the 27th) from 3 to 5 EST in the chat with the ceo chat room if you’d like to drop by!
For the past six months our team has been hard at work rewriting the content management system that runs all of the websites we produce. While we still have quite a few improvements in store for our CMS, we’ve launched several sites on it in the past couple of months and are finally ready to wean ourselves off of the Red Bull.
Unfortunately, during the rewrite it became clear that we’re not ready to open source the CMS as we had promised earlier. A few of our clients have raised legitimate concerns about the vulnerability of a system whose source code is exposed to the public, particularly one without the developer base of software such as Linux or MySQL, and we certainly don’t want to put those clients at risk in any way.
While we have decided not to release our source code, we do plan to share snippets of code that we’ve found helpful and perhaps release some plugins that other developers can use in their Rails projects. We’re also happy to answer any Rails questions you may have, either via email at development@trabian.com or in a Campfire chat with your development team.
If you have any questions about this decision, please feel free to email me at matt@trabian.com or meet me in my daily Campfire chat between 3 and 4 pm EST on weekdays.
Thanks for your understanding!
Mark McSpadden on June 26
Matt and Trabian,
I hope you receive the following comments with the high level of respect I have for you. You have done so much to influence this industry and me personally, and no single decision could ever dilute those contributions. I applaud your continual transparent and conversational attitude and it’s in that spirit that I reply to your tough decision with a tough comment.
I am disappointed in the reasoning behind the turn around on open sourcing your CMS. I understand that you are a company and need to make money, and to do that you need clients. And if, after financial analysis, you came to the conclusion that you an open source business model was not one that could make money, I don’t think I’d be writing this response.
However, to turn on that initiative due to security concerns of open source code seems to be a decision that lacks the innovative spirit Trabian usually brings to this industry.
I understand that there may have been pressure by clients that were fearful of an open source CMS. While I say I understand it, I find it tough to digest that with all the complaining CUs do about regulations, that there are CUs willing draw conclusions that even regulating bodies don’t in regard to open source software. From the FFIEC via the NCUA (FOSS = Free and Open Source Software):
Now, if your clients did not want to take on the “unique” risk management associated with an open source CMS, that is understandable, but to contend that it is less risky just by sharing the source is beyond even what the FFIEC concludes. I know you “don’t want to put those clients at risk in any way” but the truth is that everything a CU does has risk associated with it.
Allowing CUs to pretend that proprietary software is somehow fundamentally less risky than open source software is hurtful to the CU industry and to open source software in general.
I encourage you to reconsider the motivations behind your decision.
Matt Dean on June 26
Mark, I certainly appreciate your comment and realize that I should have expanded on this post a bit more.
As I alluded to with my mention of Linux and MySQL above, there are several well-known open source projects that have done phenomenally well using an open source model. Linus’s Law holds true—“given enough eyeballs, all bugs are shallow.” We love Ruby, Rails, MySQL, Linux, and other well-known open source projects and use them to drive our product, so it would be hypocritical to say that open source projects didn’t create value.
So yes—given enough time and resources on our part to both support and manage the code contributions of a community surrounding an open CMS project, we could end up with both a more robust and more secure system. That was the original plan, but the reality is that currently doesn’t make sense for us to devote the resources to push an open source project to the point where “enough eyeballs” compensates for the loss of the layer of security through obscurity (however thin it is).
If we were producing a CMS for other industries then I would have been passing out a link to our source code repository months ago. But as Shari Storm at Verity CU can tell you, a hacked website can mean bad news for members (their online banking login was hacked and members were submitting their usernames and passwords to someone overseas—this wasn’t a Trabian site, by the way, and Shari posted about it on their blog when it happened so I’m not sharing any secrets here).
I would love to open source a system that was used for less risky and mission-critical purposes within a CU, and hopefully we’ll get a chance to do so in the future (nothing specific in mind for now).
What I failed to make clear in my post is that this is an issue of where Trabian is right now and where we’re willing to focus our efforts, but I realize now that I painted too broad of a picture. So here’s what I’d like to do: let’s chat about this over Campfire and talk about both sides of the issue. For now, I’ll put an update at the top of the post expanding on it briefly, then after the chat I’ll add any thoughts from the conversation. The overarching message still stands though—the security concerns of our clients are valid given the potential harm a hacker can inflict (particularly with online banking logins on their site), and it doesn’t make financial sense for us to devote the time to oversight of community-submitted code.
Thanks again for being willing to comment. I saw your Twitter post about writing a comment to a blog post and thought this one might have been the target! That’s what this blog is for – expanding on ideas.
Mark McSpadden on June 27
Matt,
Our campfire chat today really helped to clear some things up for me.
I now better understand that your primary concern is to provide a consistently secure CMS for your clients. From the conversation I agree simply releasing your code into the wild would cause an initial dip in the overall security of the CMS for a season. I understand that it’s a dip that your clients can ill afford and one that Trabian cannot focus the resources on to combat. In fact, it’s a dip that is just unacceptable in the financial industry.
This doesn’t mean that mature open source software can’t have a home (and be secure) in financial institutions. However, the current path to a mature open source app is not one that keeps security at a high enough level to pursue in some mission critical financial applications.
My thoughts are best summarized by the following statement from todays chat:
I believe that a mature open source CMS (or any FI software) can be every bit as secure (if not more secure) than a proprietary one. However, the process of opening that source, can provide a season of lessened security and increased administrative strain on the original proprietor of the code.
I am interested in discussing ways the community can help lessen the security drop off and administrative woes for companies that would consider open sourcing their code.
I’m glad you guys have been so willing to discuss your thoughts and feelings during this process. I understand the motivations behind your decision and wish continued success with your CMS.
I’ve followed up with some thoughts on my own blog with ideas on how the community and industry can make the open sourcing process more secure and less painful and I would love any additional insight you have on the matter.
More thoughts on Open Sourcing your Software in the Financial Industry
Thanks again for the great discussion.
PS. Blogs work. :)
Robbie Wright on July 01
Tough call man. Having paying clients saying no is pretty hard not to listen to. The whole hacker to contributor ratio thing will always play a big part of open source FI projects. The payoff for hackers to hit relatively little known OSS in use at FI’s is very large, much more so then most other OSS projects. We need to figure out a cost effective way to build up an OSS project securely for use in CU’s. That might consist of like minded individuals and companies being collaborative to start a project, some type of limited-release, invitation-only phase, followed up by massive third party security audits and then maybe general public release. But who knows. We’re in a little bit of uncharted territory here.