This article was originally published in SourceForge.
Today, knowledge-centric organizations have come to recognize the value of open source languages as an integral part of software application development. From startups to Fortune 500 companies, forward-thinking organizations are taking full advantage of open source languages to develop new software solutions that can help accelerate digital transformation in their enterprise while cutting operational costs.
While open source languages bring about efficiency and cost-saving benefits to businesses and development teams, it can also introduce some risks and operational complexity to software development lifecycles.
To help address the challenges of working with open source languages, SourceForge recently caught up with Bart Copeland, the CEO and President of ActiveState, to discuss the ways to solve key pain points faced by today’s developers and enterprises when using open source languages. Copeland also offers some insights into the future of open source software (OSS) and shares how ActiveState’s New SaaS Platform can empower DevSecOps to seamlessly manage open source languages at runtime.
Q: Can you please give us a brief overview of ActiveState (year founded, size, solutions, etc.)?
A: ActiveState was founded in 1997 and has been doing Python builds since 1999. The company serves millions of developers, including more than 97 percent of the Fortune 1000 companies. Today, ActiveState continues to provide top quality solutions for open source languages. In fact, core contributors or inventors of open source languages have worked and currently work for ActiveState.
ActiveState’s focus is on making open source easy for the enterprise and providing tools that developers love to use, which comprises understanding key pain points in today’s polyglot environments for developers retrofitting open source languages as well as management’s challenge in gauging risk.
Q: Tell us about your goals and missions? What are the challenges of working with open source languages and how is ActiveState addressing these challenges?
A: Enterprises that have adopted open source (i.e., all of them) have two key pain points:
- The open source languages on which they build their applications are in constant need of retrofitting by developers as new versions of libraries and their dependencies are introduced as open source licenses that contravene enterprise policy (i.e. GPL licensed libraries) are discovered and patches to security vulnerabilities are made available. In our recent survey of over 1,400 developers, we’ve found that 75 percent of them spend either some or most of their time managing their development tools, detracting from the time they could be spending coding.
- Management is currently unable to gauge application risk. This is due to a few factors, including a lack of visibility, issues with tracking, and oversight of code compliance.
At ActiveState, our goal is to solve these two key pain points faced by developers and management in enterprises when using open source languages. Software is eating the world and it’s built on open source. And the fundamental building block for any software is the language in which it was programmed.
Truly, we’ll have known that we’re successful when we’re as prolific with developers as GitHub, and as necessary to enterprise systems as AWS.
Q: What specific industries do you serve? Can you tell us some of your current clients and/or customers?
A: Our company roster includes IBM, Honeywell, Siemens and Capital One. To give you a good idea of how varied our customer base is, take a look at our Customers page.
Q: A recent study revealed that the projected revenue of open source services would exceed more than US$ 32 billion by 2023. As a leading open source languages company, what are your thoughts on the way the open source market is exponentially increasing? And how is your company equipped to be part of the growth story?
A: Open source has won. Twenty years ago when we were just starting out, open source was untrusted by enterprises, but today even the U.S. government has adopted it. Open source has sparked innovation and dramatically shortened time to market to the point that if you’re not doing open source, you’re putting yourself at a disadvantage.
Today, open source represents the ethos of how developers work: collaboration, openness, and sharing. And all companies regardless of industry are technology driven, from the Washington Post to Walmart to HSBC. Simply put, the future of business is based on open source.
We think we’re uniquely positioned since we’re one of the very few open source companies that has been at the forefront and we’ve seen the market evolve for more than 20 years. We were doing open source long before the mass adoption, and we’ve witnessed macro shifts in the marketplace from monolingual dev shops to polyglot environments: from hand-coding of monolithic applications to assembly of microservices comprised of primarily open source components. We understand the pain points these shifts have caused in the enterprise and are addressing them in our roadmap.
Q: ActiveState recently rolled out the first feature of your new SaaS Platform for open source languages: Python Runtime Security. Can you please tell us how this feature helps teams keep pace with development cycles without sacrificing security?
A: Twenty years ago, the waterfall development methodology was the norm. Multi-year development cycles left lots of room for tacking security on the end of the release process. Today, most enterprises have adopted an agile process that offers no time for tacked on security – it needs to be baked in from the get-go.
By starting with an ActiveState distribution of Python (ActivePython), enterprises can be assured that, out-of-the-box, their programming language is secure, up-to-date with the latest security threats addressed, and GPL-free. But things change during the development process, and that’s where the ActiveState Platform’s runtime security comes in. We offer a Python interpreter plugin that runs at startup time when packages are initially loaded – whether that’s in dev, test, or production – and reports key information back to a central dashboard in the cloud. Every stakeholder in the organization – from management to auditors to compliance to InfoSec – can log into the dashboard and get a “Bill of Materials” view of every Python app in order to understand if the packages they’re running are vulnerable, outdated, or poorly licensed, and then take action.
In this way, we enable security to be injected upfront in the development process, before the first line of code is written, thereby letting developers focus on what they do best: coding, rather than focusing on security. And by centrally tracking the app through development, across the CI/CD chain, and into production, we enable everyone in the organization to check for vulnerabilities and compliance instead of shifting everything left onto the developer so you can bring secure apps to the market quicker.
Q: How does your SaaS platform for open source languages empower DevOps and DevSecOps? Can you offer us some sample use cases?
A: As the intersection of development, security, and ops, DevSecOps seeks to ensure that applications are not only built in a secure manner, but remain safe in production. ActiveState open source language distributions are checked for vulnerabilities so developers can start coding with a secure language out of the box. The ActiveState Platform then tracks application security throughout the development cycle, across the CI/CD process, and into production. Whenever vulnerability crops up, the ActiveState Platform alerts all stakeholders to the fact so they can instantly take action.
For DevOps, rebuilding and then updating all their systems across development, CI/CD, and production whenever a new vulnerability is found can be time-consuming. The ActiveState Platform will proactively create new language builds as open source vulnerabilities are found, allowing DevOps to run a smoke test and then update any environment with a single command.
Q: Aside from Python Runtime Security, what are the other core features and capabilities of your new SaaS Platform for open source languages?
A: ActiveState’s SaaS platform offers a plethora of features and capabilities. Here are some of them.
- 360 Degree “Live” View. Unlike Software Composition Analysis (SCA) or Artifact Repository vendors that only provide insight into “static” packages at a single point in the application lifecycle, ActiveState monitors “running” packages at every point with the 360 Degree “Live” View.
- Agentless Monitoring. Only ActiveState can monitor Python applications without the overhead of an agent. By instrumenting the Python interpreter, ActiveState collects Python package information only when each package is initially loaded, sending that information to a server to be assessed and tracked.
With ActiveState, our customers can get to market sooner by implementing an out-of-band, runtime security, and compliance solution that won’t slow down your development and DevOps teams but still lets you retain control over where and when you fix security and compliance issues.
Other differentiators include reduced cost of issue resolution, time of detection and time of resolution, and false positives and open source licensing and application risks.
Finally, although the ActiveState Platform is initially focused on Python and our existing commitments with our Perl and Tcl customers, our roadmap includes the support of any open source language.
Q: As a leading open source languages company, can you tell us more about your commitment to open source models? How has the open source approach benefited companies and coders?
A: Current and former ActiveState employees have been strong contributors to open source initiatives, including the originator of Tcl, a co-creator of YAML, contributions to the Cloud Foundry and Mozilla eco-system, and numerous maintainers of open source language packages, modules, and libraries. Additionally, ActiveState supports various open source organizations with monetary donations and employee hours to help with their efforts.
Q: Looking ahead, what emerging open source technology trends do you think will disrupt or impact how today’s software development teams build their apps and solutions?
A: Today, most organizations either use a standard, off-the-shelf, open source language distribution or else create a custom build for their specific project.
Off-the-shelf distributions are static builds that provide consistency across environments by including all dependencies, but they result in very large builds that are a pain to transfer around, slow down testing and deployment, and offer a large attack surface.
The DIY approach imposes a huge opportunity cost on your developers who could better spend their time addressing your ever-growing backlog rather than retrofitting their open source language.
Companies like ActiveState are spearheading the revolution, allowing organizations to automatically build, certify, and resolve all of the issues commonly plaguing open source language distributions, as well as share those distributions across teams/update environments with a single command.