Milking The GNU

With so many talks about turning open source into a new grail for entrepreneurs and VCs alike, it is worth having a look at those using open source for a different purpose. Two 5-year old security “start-ups” have transitioned their code to … well to the other side of the force: one is opening it while the other one is closing it.

The first one is named Untangle and provides an all-in-one security gateway for small businesses. After burning through $10.5M of funding (from rustic and CMEA) they discovered that:

1-    It’s hard to go after the long tail of SMB security (Barracuda Networks is after the same market and is burning cash so fast initial founders must be  diluted by the minute)
2-    Red Hat might be onto something by selling services and proprietary add-ons
3-    Open Source is so  "topical" that it could  help a second round (35 employees is a drain for a company that proudly boast its $1/user/month professional package)

Well in all fairness, there is more to it:  open source is also a way to milk the GNU as Untangle CEO Bob Walter confesses on c|net, albeit not exactly in those terms:

Making the software open-source will help elevate the company's profile among new customers, improve quality through better debugging, help translate the software into new languages, and attract new software modules. We feel we'll get further, faster  he said. We are betting this company on open source.

That must be a new twist to the Red Hat model:

Red Hat you big fool, why do you keep doing that which the community can do for you for free?

On the other side of the argument we have Tenable network that took the new version of open security scanner Nessus into the dark side of  proprietary software. Tenable closed their source  late 2005. Tenable’s Chief Security Officer Markus Ranum is obviously not as keen to the idea of open source as Untangle is.  According to Internet news:

I think that open source is a wash. I think that the professional software companies that are really developing stuff have teams of organized grown ups working on code, and in a lot of cases turn out better code. The "many eyes" philosophy of open source coding makes about as much sense as the "many monkeys approach" to producing Shakespeare.

If Mr. Walter sees open source as a cow to be milked, obviously Mr. Ranum sees it only as a cow. Ahem sorry, as a monkey. I don’t think I could rename my blog along this line though.

So here is the strategy used by Tenable:

1-    Drop out of GPL by forking a proprietary release (they can if all contributors agree)
2-    Write as many  proprietary plug-ins as you can (easy if you have Renaud Deraison on board)
3-    Have companies pay for vulnerability feeds, services, plug-ins etc.
4-    Refocus on the  market of Enterprise PC security  (proxy, credentials, IDS, asset discovery ...)
5-    Focus on Fortune 500 (or try to)
6-    OEM to large security vendors (no branding though if you deal w/ the big guys)
7-    Certify products and processes to respect a plethora of security norms (good for gov biz)
8-    Lower incentive to fork by providing the new Nessus/Tenable daemon for free but not the source itself …

The beauty of the thing is that they  kept getting awards as an open source company; thanks to inforworld making  a fool of itself, a good  2 years after the company closed its source code:

Info World Best of open source in security 2007: Tenable

As to OpenVAS (the still-GPL version of Nessus) it does not seem to be a very innovative  project: I saw many distro ports and re-looking stuff but nothing like rewriting the equivalent of the many key commercial plug-ins for the scanner. Nothing either like integrating IDS, proxies or more nmap-like functionalities. Too bad.

Tenable revenues stopped growing as fast as hoped in 2005, the very same year closing open source was decided/announced; quite a coincidence.  So since then, how did it go for Tenable? A good guesstimate  (based on Tenable customer numbers)   is that it is still largely bottom dwelling under $10M in revenues.

Here is a suggestion I’d like to make to Ron Gula the CEO of Tenable.  It would boost everybody’s moral and make it easy for Tenable to raise money if they want so. Release control as would say Matt Asay.

Why don't you turn Tenable into an open source company?