Weathering the Economic Crisis in EngineeringTop 25 Open Source Projects That Will Help Trim DevelopmentBudgets*Theresa Bui FridayDecember 2008www.palamida.com*This paper discusses the 25 top Open Source projects companies are using for cost control and competitiveness.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgets,OVERVIEWSeparately and inIn challenging economic times, how do internal application development teams continue to deliverhigher quality software and Web applications with fewer resources?Unlike in past economicCombinationdownturns, development teams today have a resource they can turn to in order to lower the costs ofdevelopment, maintain high-quality, and decrease cost of ownership for the long run: open sourcesoftware.The use of open source, one of the most groundbreaking trends in the software industry, is more thanjust for experimental or for internal-use only. With experience in auditing billions of lines of code forFortune 100 as well as start-up companies, Palamida has seen some of the most productive andcost-saving use of open source from market leaders across all industries. This paper will list the top25 open source projects reviewed by Palamida that have proven to be among the most reliable,innovative, and enterprise-ready open source projects available on the market.This paper is for senior engineering and IT executives who are looking for resourceful ways to trimbudgets, while ensuring that application development work continues to be a competitive advantagefor their businesses. It will list some of the best open source projects Palamida has seen used insideorganizations of all sizes. As well, it will provide senior managers with best practices basics indefining an effective open source usage strategy, while ensuring the integrity and security of theirapplications and their business model.So now it’s your move. If your team is not already using these open source projects, you should besitting down with your lead engineers to review this list today.25 HOT OPEN SOURCE PROJECTS ORGANIZATIONS SHOULD BE USING TODAYDevelopment ToolsThere is no question that a good toolkit consisting of an integrated development environment, unittesting, code coverage and code quality will enhance productivity and overall application excellence.ProjectNameDescriptionOverviewCost toDevelop In- Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsavoiding hours offrustrating bughunting, makingprograms morestable. Users can alsoperform detailedprofiling, to speed upand reduce memoryuse insideapplications.FindBugsLooks for bugs inJava programs. It candetect a variety ofcommon codingmistakes, includingthreadsynchronizationproblems, misuse ofAPI methods, etc.,Separately and inCombinationDedicated community 45 personof 9 team members,years orestablished since 2,457,9352003, withsponsorship from bothGoogle and SunMicrosystems.Database and Mapping ToolsDatabase buying patterns have shifted significantly in the past few years, with a sharp focus on costeffectiveness. Open source database solutions can now tout both speed and the ability to handle verydemanding processing tasks.ProjectNameHibernateDescriptionOverviewA powerful, highperformanceobject/relationalpersistence and queryservice for Java. It letsengineers developpersistent objectsfollowing commonJava idiom, orphism, and theJava collectionsDedicated communityof 16 team members,established since2002.Cost toDevelop Inhouse233 personyears or 12,813,393 Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsframework.,Dedicated community 29 personSeparatelyand inof 25 contributors,years orestablished since 1,606,773Combination2000.SQLiteSmall C library thatimplements a selfcontained,embeddable, zeroconfiguration SQLdatabase engine.Implements most ofSQL92 and ACID(atomic, consistent,isolated, and durable)transactions; no setupor administrationneeded.MySQLA relational databasemanagement systemwith more than 11million installations.MySQL is owned andsponsored by a singlefor-profit firm, theSwedish companyMySQL AB, now asubsidiary of SunMicrosystems, whichholds the copyright tomost of the code baseunavailableApacheDerbyA relational databaseimplemented entirely inJava. Some keyadvantages include asmall footprint (about 2megabytes for thebase engine andembedded JDBCdriver) and beingbased on the Java,JDBC, and SQLstandards.Dedicated communityof over 32contributors,established since2005.166 personyears or 9,086,983PostgreSQLA relational databasesystem that hasearned a strongreputation for reliability,data integrity, andcorrectness. It runs onall major operatingsystems, includingLinux, UNIX (AIX,BSD, HP-UX, SGIDedicated communityof over 30contributors,established since1996.146 personyears or 8,039,337 Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsIRIX, Mac OS X,Solaris, Tru64), andWindowsCore Utility Classes,Separately and inCombinationUtility classes are programming libraries designed to perform common, often-used functions. This hasbeen one of the most popular and earliest implementations of open source software Cost toDevelop InhousezlibDesigned to be a free,general-purpose,lossless datacompression library foruse on virtually anycomputer hardwareand operating system.Dedicated communitystarted by Mark Adlerand Jean-loup Gaillyin 1997. Stableversion v1.2.3 sinceJuly 2006.unavailablelibpngThe official PNGreference library. Itsupports almost allPNG features, isextensible, and hasbeen extensivelytested for over 12years.One dedicated projectmaintainer, with 8contributors, since1996.unavailableFFmpegA complete solution torecord, convert andstream audio andvideo.Dedicated communityof almost 80contributors,established since2000.81 personyears or 4,439,936FreetypeSoftware font enginethat is designed to besmall, efficient, highlycustomizable andportable while capableof producing highquality output (glyphimages). It can beDedicated communityof almost 30contributors,established since1997.64 personyears or 3,526,986 Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsused in graphicslibraries, displayservers, fontconversion tools, textimage generationtools, and many otherproducts as well.,Separately and inCombinationReporting and ChartsReporting and charting solutions have really caught up with the major players and offer a new level ofsophistication. As they continue to implement most of the features available from the biggestcommercial rivals, these open source solutions will give corporate IT managers a good reason toevaluate them.Project NameDescriptionOverviewCost toDevelop InhouseJFreeChartChart library for theJava platform thatsupports a wide rangeof charts including piecharts (2D and 3D),bar charts (horizontaland vertical, regular orstacked, with optional3D-effects), linecharts, XY plots,scatter plots, timeseries charts,high/low/open/closecharts, candlestickplots, Gantt charts,Pareto charts,combination charts,and more.Founded in 2004, withone dedicated projectmaintainer, with fourcontributors and auser base of almost50,000 developers.43 personyears or 2,338,036VelocityA simple yet powerfulJava-based templateengine that rendersdata from plain Javaobjects to text, xml,email, SQL, PostDedicated communityof 9 contributorsestablished in 2002and part of the largerApache SoftwareFoundation.13 personyears or 701,339 Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsScript, and HTML etc.The template syntaxand rendering engineare both easy tounderstand and quickto learn andimplement.PentahoReporting,Separately and inCombinationA class library forEstablished in 2002generating reports.with almost 20XML-based templates contributors.provide flexiblereporting and printingfunctionality usingdata from multiplesources. It supportsoutput to displaydevices, printers, PDF,Excel, HTML, XHTML,PlainText, XML andCSV files.JasperReports Java reporting library.XML report templatesare used to generateready to printdocuments using datafrom customizabledata sources,including JDBC. Theoutput can bedelivered to thescreen, printer, orstored in PDF, HTML,XLS, RTF, ODT, CSV,TXT and XML format.Established in 2005with 15 contributorsand part of theJasperForge.444 personyears or 24,425,46863 personyears or 3,486,668Web 2.0It can be argued that Web 2.0 has been built on the back of open source. Some of the most popularWeb 2.0 companies -- Google, Facebook, Flickr, etc. – are all built using open source technologies.So it is no surprise that some of the best open source projects on the market today support majorWeb 2.0 functionality. Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgetsdocuments, handleevents, performanimations, and addAjax interactions toWeb pages.,Separately and inCombinationCRITICAL ISSUES WHEN DEFINING AN EFFECTIVE OPEN SOURCE STRATEGYWhether it is these 25 open source projects or others, most organizations are already using opensource as part of their IT infrastructure or inside their shipping product and Web applications -whether senior managers realize it or not.For open source used in software or Web projects, Palamida has found that applications built in thelast five years will typically be composed of at least 50% open source code. As much as 70% of thatopen source use is invisible to senior managers – which means that it has likely not been given asecurity review and security updates are not being patched in to protect the company and itscustomers. This growing void in application security leaves organizations open to the risk ofintroducing vulnerabilities through undocumented code.Traditional application security solutions such as intrusion detection, ID management, and firewalls,are critical for securing traffic to applications. But Gartner, Inc. research shows that since 2002, 70%of successful security attacks exploit application vulnerabilities – issues with specification, design orimplementation once the traffic has arrived. Managers need to realize that what is inside theirapplications can be just as harmful as what is coming to their applications. Organizations need a newlayer of application security that allows them to protect themselves against vulnerabilities inapplication code even if they do not know what they are using.Gartner, Inc. has identified this new layer of security as “software composition analysis” (SCA) –technologies that should be used along with static application security testing (SAST) and dynamicapplication security testing (DAST). SAST/DAST inspect applications internally, while SCA classifies Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgets,Separately and inCombination2external components by name, version and associated vulnerabilities . Considering that only 1 out ofevery 10 open source project has commercial support3, organizations must realize that amanagement system for vulnerability review, tracking and patch/remediation of open source is now amandatory part of an application security strategy.Often times, the philosophy of “spend small, think small” prevails for most IT organizations. Unless anorganization is adopting a large open source project such as Linux, special resources are not beingallotted to the management of open source adoption. Organizations now can implement a policy of“spend small” but just as with any other type of third-party software, they cannot afford to “think small”about what they are using, meaning they cannot stop constantly monitoring for new securityinformation about it. In the past, with commercial software packages, if developers wanted toincorporate third-party code into their applications, a joint development agreement or in-boundlicensing contract would be negotiated. The process would have also included a developmentmanager, procurement lead, and a lawyer.In “User Survey Analysis: Open Source Software, Worldwide, 2008,” Gartner, Inc. reports that almost40% of organizations cite “lack of governance policies regarding open source adoption” as one thekey organizational challenges in using open source. In today’s 24/7 world of persistent networkaccess, developers dispersed across multi-national sites can include open source, freeware, publicdomain, evalware (demos of commercial software), etc., into the code they are writing withouttriggering the usual checkpoints in the procurement process. Without these controls, the open sourceis unlikely to be detected, monitored, or tracked.Best Practices Basics for Open Source ManagementOrganizations that employ best practices in open source software management maximize thebenefits of open source and minimize any security or operational risks. A best practices managementworkflow does not have to be disruptive, once policy and procedures are established. Eachorganization’s own implementation will be different, depending on size and business model, but willalways contain the following stages: assessment, policy, open source repository, code audit, andongoing management.AssessmentA process must be in place for assessment and registration of open source introduced into the codebase by individual developers. An organization should establish an Open Source Review Board,23“Gartner Hype Cycle for Data and Application Security 2008,” 30 September 200, ID Number: G00160731Based on Palamida research conducted February 29, 2008 - March 4, 2008, examining support structure for 3,168 popular open source projects Copyright 2008, Palamida, Inc. All rights reserved.
Weathering the economic crisis in Engineering:Top 25 Open Source projects that will help trimdevelopment budgetsdevelopment budgets,Separately and inCombinationwhich in small companies may consist of one person, while in larger ones, it might consist of multiplemembers representing cross-functional roles. In smaller companies, requests or notifications ofintended use may be simply captured through emails between developers and managers andupdating Excel spreadsheets. In medium to large compa