Thursday, 10 August 2017 09:07

Myths about open source CRM systems

Open source is an idea that has significantly influenced the technological development of companies around the world. Openness means that the code is available to everyone and this allows to build together better solutions and make them available to everyone. The largest companies in the world often build competitive advantage thanks to the projects that have the open source code. 
Currently, every company in the world uses open source solutions because a very large number of devices and applications to a greater or lesser extent use whole or part of open solutions.
On the Internet, it is possible to find many professional publications and popular articles. Many people and companies take them as gospel and make key business decisions based on what they learn. However, these publications and articles often repeat the same mistakes that we decided to debunk. 

Open source is (or isn’t) cheaper

People who declare that open source solutions are cheaper or more expensive, and don't present various costs and risks, probably don't understand the deployment process of Enterprise class systems within a company. The fact that open source solutions don’t require any license fees doesn't tell anything about the actual costs of implementation.

When open source solutions are deployed on a large scale, the cost is determined by many factors and the licensing costs represent only a small portion of the total cost. This is due to the fact that an end customer counts only the final value (which also includes the maintenance price as a long-term cost).

What does the cost of implementing open source software include?

  • Infrastructure
  • Joint analysis of requirements
  • Implementation
  • Tests (including functional, performance and acceptance)
  • Implementation in the production environment
  • Licences (including deployment and maintenance)
  • Warranty (including SLA)
  • Final documentation
  • Training
  • Additional functionalities

When a company is looking for the cheapest solution, it should send a well-described request for proposal (RFP) to both open source and traditional (closed source) software providers. In this manner, it will possible to evaluate whether an open source solution will turn out to be cheaper or more expensive in this particular case. 

Open source is (or isn’t) more secure

Some argue that open source software is more secure because the source code is available for everyone and the community can report and fix bugs. On the other hand, you can come across articles that contend that solutions with closed code are more secure because no one has access to the code, including potential hackers. Obviously, both approaches are not necessarily accurate.
Let’s consider two extreme cases:

  1. Case A: One solution is written by a junior developer, published with an open license but no one uses it and the second solution is closed and deployed in large companies that expect the highest possible level of security. Which one will be more secure? Obviously, the second one (however, it doesn't mean that there are no security bugs in it).
  2. Case B: One solution is written by a large company, published under an open source license and implemented in many companies and the second solution is closed and written by a junior developer and seldomly used. Obviously, the first solution will be more secure (however, it doesn't mean that there are no security bugs in it).

In order to blur the differences between open and closed source codes, it is necessary to refer to so-called reverse engineering. Thanks to this process, a solution that is seemingly closed becomes as open as an open source solution. Access to source code doesn’t provide information about the level of security but rather defines ways for analyzing and evaluating it.

The quality of source code

The quality and the right order in the source code are the first two things that should attract your attention. There are many publications that touch upon this subject, so we encourage you to do the research because we won’t discuss it in this article. Quality isn’t determined by whether a solution is closed or open. 

Solutions with closed code don’t provide the possibility to access the source code, so it is difficult to evaluate its quality. Open source software does allow for the evaluation and that is its advantage. However, it doesn’t mean that every open source solution is of good quality, it only means that it can be evaluated and verified.

There are many tools that are used to verify code quality and one of them is SensioLabs Insight. The site verifies over 110 elements in code and compiles a list of them as can be found on their website. There are also other tools on the Internet that can be matched with the tested application. Let’s see the quality of popular CRM systems which have open source code.

Code quality test of open source CRM systems

SugarCRM v. 6.5.24
 mity 1
In the picture above, there is a summary for SugarCRM, version 6.5.24. SensioLabs found over 25 thousand faults that should be fixed. SuiteCRM v. 7.7.5
 mity 2 SuiteCRM is an independently developed fork of SugarCRM. It has many more errors (over 31 thousand) but it also has more files and functionalities in comparison to SugarCRM. So the code quality of these two projects is comparable. VtigerCRM v. 6.5.0
 mity 3 The situation is similar in the case of Vtiger 6.5 and there are over 42 thousand errors but the project contains more lines of code (over 70 thousand). 
These projects should implement special procedures that would aim at improving the code quality and start to comply with the standards [e.g. PHP Standards Recommendations]. YetiForce 3.3.78
 mity 4 YetiForce is na Vtiger fork. In the case of YetiForce, we had to deal with and remove over 37 thousand errors that had been present in VtigerCRM. We also developed many functionalities but it didn’t have a negative influence on the overall quality. This proves that a provider decides whether a solution is of high quality or whether it differs from the generally accepted standards for software development. With the current development pace, in a few weeks time, this project probably won't have any errors that will affect negatively the quality of the source code. There are numerous open source CRM systems and each of them can be verified and assessed and that’s an advantage over systems with closed code where it’s sometimes impossible to evaluate the quality of the source code.

There are numerous open source CRM systems and each of them can be verified and assessed. That’s an advantage over systems with closed code where it’s more difficult (or even sometimes impossible) to evaluate the quality of the source code.

Popularity of CRM systems

Unfortunately, providers of open source software often may not be able to show the actual number of companies that use their software. In the case of closed source software it is possible but at the same time it can’t be verified whether the numbers published by providers are true. By looking at available statistics (SourceForge, GitHub, Softaculous, etc.), open source software can be arranged in the following order by downloads per week:

  1. VtigerCRM (~ 5.000 downloads per week)
  2. SugarCRM (~ 2.800 downloads per week) 
  3. SuiteCRM (~ 900 downloads per week)
  4. YetiForce (~ 600 downloads per week)

Now when looking at “The quality of source code” section, it is presented in the following order:

  1. YetiForce
  2. SugarCRM
  3. SuiteCRM
  4. VtigerCRM

We can infer that popularity has no direct impact on the quality, hence a more popular solution isn’t necessarily more secure.

Development vs. popularity

Many people evaluate the popularity through the prism of download numbers and they evaluate other features like security, quality or development in a similar manner.  How intensive are open source projects revolved?
Vtiger 6.5.0mity 5 In the case of Vtiger, there have been only 17 changes added by two people within one month. Unfortunately, there is no information about the amount of “likes” from developers (currently, there are 31 likes at the Vitiger's code website) and the number of open/closed issues (168 open from 304). It is evident that the project has not developed and maintained a similar status for the past two years.
SugarCRM 6.5.24mity 6 A more severe case is SugarCRM because the provider hasn’t developed the project for a few years and currently when they fix something, it is only a security-related issue. The producer officially announced that the community version won’t be developed in any significant manner. As a consequence SuiteCRM has been created.
SuiteCRM 7.7.5mity 7
SuiteCRM has been developing in a moderate course (there have been quicker and slower periods) but in comparison to VtigerCRM and SugarCRM, there is some progress and a better perspective for the future. 95 changes within a month can be compared to the amount of work completed by one developer who is only responsible for the development of the product and works on a three quarter time basis. YetiForce 3.3.78 
In the case of YetiForce, there are nearly 500 changes that might be compared to three full-time developers working only on the development of the product.  Summarizing, the amount of development in the above-mentioned products can be arranged in the following order: 

  1. YetiForce
  2. SuiteCRM
  3. VtigerCRM
  4. SugarCRM

There is a common belief that a given solution is secure because it’s been downloaded over a million times. However, security is a process that requires continuous work of a group of experts because something that was secure a year ago might be already obsolete and faulty today.

The popularity of a product doesn’t affect its quality or security and not even its development (at least, not in a direct way). Whether a product is closed or open source doesn’t indicate any particular advantage.

Open source provides better/worse support

These theories are usually suggested by people who don't have any experience with professional deployments of such systems. The level of provided support is a compromise between price, customer’s expectations and the level of risk that you are willing to accept.

If a provider receives a sales inquiry which clearly defines terms and conditions of support, it doesn’t matter whether a solution is closed or open source. The provider estimates whether it will be possible to deliver support at the expected level and it’s usually presented in an offer.
A software license doesn’t offer any significant advantage in terms of security, quality, support and the development rate. The look and feel of the system depend only on the provider and the community gathered around the project. The two most important assets are hard work and a team that will be able to develop the project to the next level.

Read 2740 times