Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Making a Living Saving the Government Money
Share
Print
CommentsPeter Gallagher is president of devIS (AKA Development Infostructure), a Virginia-based company that designs, develops, hosts, and operates large-scale custom Internet applications for government agencies and private consultants. He says devIS saves its clients a minimum of $100,000 per contract by using Open Source Software. Gallagher also claims none of the Web sites or Web applications devIS has produced have ever been hacked. And here's the real clincher: devIS makes money.
The devIS business model is one Open Source and Free Software proponents have been advocating for years, namely selling software services instead of selling software products.
DevIS has 30+ employees, over $4 million in annual revenue, and enjoyed over 50% revenue growth in 2002, a year in which many IT services companies watched their revenues shrink.
Smart employees discovered Linux
Although devIS had been around since 1992, 1995 was the year the company first started using Linux. Gallagher takes no credit for this. He says, "Several of the guys -- who are smarter than me -- said, 'Let's use Linux! Let's use Linux!' and we put it on our file servers in house, doing the typical Samba and print serving. And it worked, and it just kept working."
Then, Gallagher says, a while later, "for one of our federal clients on a fixed price contract, where we were paid to outsource an application, we started using Open Source without telling anyone. The application worked consistently and we were able to save the client a bunch of money. We used Linux and PostgreSQL to build it."
Now devIS bases its entire business on Open Source software. Gallagher says they use, "typically Linux on the servers, OpenBSD on the firewalls, the PostgreSQL database, JBoss or Zope applications servers, and a whole range of [Open Source] intrusion detection and monitoring software, as well as CVS and other [Open Source] development tools."
Security - not entirely Open Source
On one test site devIS made, Gallagher says, "the Feds hired a company called AtStake to perform an independent penetration test, and they gave devIs an excellent bill of health."
But, Gallagher notes, "Our firewalls aren't all open source. We're also using some [proprietary] hardware and software leased through one of our partners."
He doesn't want to discuss security in detail. "I can't tell you everything," he says. "It would be a security risk."
Gallagher is aware of the ongoing arguments about security through obscurity vs opening security features for public inspection and bug fixing, but he tends to fall on the "obscurity" side of the coin. And personal beliefs aside, this is a touchy discussion area for a company like devIS that relies on U.S. government contracts for most of its income. "We deal with a lot of security issues with the federal government," Gallagher points out. "We file a lot of papers and plans and forms relating to meeting security guidelines. There's a whole industry out there built on documenting and monitoring your security plans."
Development process as intellectual property
Obviously, any competitor can use the same software as devIS. And devIS clients own the licenses for whatever devIS produces for them. The "secret sauce" here is the development process itself, which Gallagher is not sure he wants to reveal. "Hey," he laughs, "that's what keeps us in business. Anyone can do what we do. We have found ways to do it better. That's what makes us unique."
Some of the "secrets" are obvious, old-fashioned common sense, revealed in a presentation Gallagher gave at LinuxWorld in New York on January 23, 2003. In one of his slides, Gallagher displayed the standardized OSS-based "stack" devIS uses to build most of its Web applications:
- Utilize XML / StandardsDo the same thing over and over, and you're bound to get good at it. Use the same tools all the time, and you're bound to become proficient with them. This experience is valuable intellectual property, even if most (all?) of it resides in employees' heads.
- Site uses open source projects:
Apache+ (Web server)- Middleware ServersZope / Python- XML Blaster - messaging server
JBoss / Java (Resin)
- PostgreSQL (SQL Database)
- Linux / OpenBSD (firewalls)
- Analog (Web statistics)
- Intrusion detection/firewalls - numerous
This kind of intellectual property -- employee skill -- is protected best by treating employees well. Gallagher says devIS has never had a layoff, even during times when business was rough, and that he sponsors at least one retreat or shared vacation experience per year for all employees. He says devIS salaries are not especially high, but that workers there have "a great deal of freedom. And stability."
Pricing and sales methods
DevIS does not "Sell Open Source." It sells solutions and applications that meet specification laid down by clients. Often, in the case of Federal sites and online database applications, those specs have to do with accessibility and security, but as long as they are met, Gallagher says, no one really needs to care about what's on the back end as long as whatever it is does the job and can be easily maintained after it is built. If the most cost-effective solution is Open Source, great. If not, Gallagher is not dogmatic. He points out repeatedly that Open Source and proprietary applications can coexist on a server and work together without any problems, and that if his clients require a proprietary application for a specific purpose, that's fine with him.
On one hand, the service pricing model to which devIS must adhere as a government contractor limits its profit margin to a maximum of 10%, but on the other hand, Gallagher says there is much less up-front risk selling services than there would be if devIS sold its custom applications as products.
The only flaw in this pricing and sales scheme is that many government procurement guidelines require COTS (Commercial Off-The-Shelf) software because, in theory, buying something someone else has already paid to develop is usually cheaper than having custom software written. Gallagher disputes the cost-effectiveness of COTS solutions for the large-scale, usually Web-based applications that are the bulk of devIS's work. He says that, more often than not, the cost of customizing preexisting commercial software exceeds devIS's development cost (using the company's standard "stack") for a custom application.
Gallagher says he is thinking about getting around the COTS limitation by "putting our whole 'stack' on CD so we can say its COTS. And putting it on the GSA schedule [the government's 'master' product purchasing catalog database] for a dollar."
There is nothing to stop Gallagher from doing this, as long as he includes source code, since all of the base software on that CD would be Open Source.
We had to ask: "Are you hiring?"
Gallagher says, "We're always looking for people. We don't have anything major right now, but we expect to be looking for some new people soon. I guess that's a qualified yes."
Gallagher will never be Gates
A successful software service company like devIS, working on a limited profit margin, can't generate as high a return for its owners as a successful software product company. (Note that Microsoft earns as much as 85% margin on some of its products, while devIS is locked into 10% or less.) But as Gallagher notes more than once, the financial risk involved in building a service company is much less than that involved in building a product company.
Another factor, often pointed out by software industry pundits, is that service companies don't scale as well as product companies because there are fewer economies of scale for them to take advantage of as they grow. When you are doing custom work, whether it is programming or wood carving, the labor cost of producing the end result is about the same for a large company as it is for a small company. Indeed, the small company -- with less infrastructure to support and no outside stockholders -- may actually have an advantage.
Perhaps the ideal Open Source company is not a behemoth run by a ruthless, profit-driven executive, but is something like devIS, run by a Volvo-driving, former Peace Corps volunteer like Gallagher, who talks more about money he has saved taxpayers and how well the sites his company has made serve their intended constituencies than about the amount of money he has put in his (or investors') pockets.
The problem is, the big companies tend to get all the major press coverage while small, quiet (but profitable) companies like devIS get overlooked. Not that this matters a great deal to Gallagher. "I think we were in business for nine years before anyone wrote an article about us," he says. "And we're kind of invisible, because you can't 'sign' Web sites you make for the government the way you can put your company's name on ones you make for private businesses."
Even devIS's own Web site barely tells the company's story. "It's really time -- past time -- for us to redo our site," Gallagher says. "The only problem is, we're so busy doing work for clients that we never seem to find the time."
Comments
on Making a Living Saving the Government MoneyNote: Comments are owned by the poster. We are not responsible for their content.
The information of which technologies are implemented can be a secret. This does not make for security by obscurity.
It's the >IT-industry that has financial problems, not the governemt. In other worlds, it's the IT-industry that needs to make more money, not the government.
The fact that the customers pays less (=saving money) means that the companies and people working in this industry makes even less.
It doesn't matter how you turns and twist the formula, if less money is paid total in the end it means bad news for the industry.
In this case this small supplier devIS has about $4 million yearly revenue and 30 employees, thats small both in terms of revenue and number of people they support.
You need to look at the whole picture and the whole picture shows that total revenue regarding the IT-industry is shrinking horribly.
In other news: Using all parts of the buffalo is bad for the buffalo-hunting industry.
Software products have a life span and within this industry there is a tendency that costs go down. That is the total cost for a given solution. Traditionally with results going up and costs going down option that where out of reach become economic. This drives the evolution that can be seen in ICT.
With GRID computing, the OS as a commodity, hardware and software costs will go down a lot. All kinds of technology become feasable as talent goes elsewhere to make a buck.
ICT is like a pigs market, when there too many pigs they get slaughtered driving down the meat price. With too few pigs they breed like hell driving the meat price up.
IPO Fever, the (artificial) shortage of skilled IT "crisis", it goes on.
To have revenue growth of any sort (let alone 200%) in the IT industry these days, shows that this company knows something the rest of the IT industry (and you) obviously don't.
But, this isn't caused by OSS. The only reason that government and businesses are turning to OSS solutions for their IT needs is because the cost of the investment in closed source solutions has been priced beyond it's ability to return value. The company described in the story still employs developers and IT personnel, but no, it won't ever be able to make millionaires of it's executives or return fat dividends to stockholders. So, there's still good work to be done for those who wish to work, but the gravy train for those who profit from other people's work has been somewhat curtailed. Oh whaaaa.
Somewhat true but there is a fundamental difference between the IT-industries problems and others problems. We have cemented into companies and peoples minds that there is no need for payment, you can get free labour.
"But, this isn't caused by OSS. "
It caused by open source and other factors, open source is not the biggest factor but it certainly is a factor.
"The only reason that government and businesses are turning to OSS solutions for their IT needs is because the cost of the investment in closed source solutions has been priced beyond it's ability to return value.”
That is not true, of cause there is a high value in software. But if someone offers to work for free they will take that instead.
"So, there's still good work to be done for those who wish to work, but the gravy train for those who profit from other people's work has been somewhat curtailed."
Are you joking? Huge profitable companies (non-IT) now get free labour from software engineers and others. Not cheap labour, free labour.
This is a typical example of big money-strong capitalists making profit from other people cheap labourb (free in this case).
For the vast majority of companies, IT is a cost center, not a profit center. If an IT group (internal or consulting) can deliver the goods for less money, they'll have all the work they can handle and then some. Let's face it, business is leery of IT because there are so many crappy programmers out there, both in and out of shrinkwrap companies like Microsoft. Companies hunger for quality, and will pay huge for it when they find it. That's why commercial software is so expensive -- they're selling the illusion of competence, so they can afford to pay the 10 lousy programmers held up by the 1 good one.
The fewer dollars sucked into the black hole of Microsoft et al, the more dollars for people providing real solutions at affordable cost with terrific open-source tools. Monopolies are bad for the economy, remember?
And I didn't say it is, did I. If you take a look at some financial report from various technology companies you will see that Microsoft is doing excellent, they are not the ones that has problems.
As a matter of fact, consultant companies have been hit the worst.
What I'm talking about is still the WHOLE picture, not just Microsoft vs. Redhat or something like that.
The value in the technology industry has been shrinking like crazy.
I read an article somewhere that speculated in if the current value-decrease started with the Netscape vs. Internet explorer fight. At a first look, that seems ridiculous but I think it has lots of truth in it.
It was after the browsers where given away (with lots of publishing about that they where given away for free) that other companies followed and starting to give away stuff since there was a crazy idea at that point that market-share was more important than actually making money.
The fact that both products and services (think web-content/services) were given away made people think that there is little value in these products and services.
I saw a poll not so long ago that people don't want to pay for 3G products and services (meaning that they want it but don't want to pay for it), the idea that you don't need to pay for stuff has been cemented into peoples minds.
It will be a long uphill battle to get out of the depression this industry is in.
Not quite so. When Clinton was in office it actually went down to zero and then into the black. Now that Bush is in office it's now in the hundreds of Billions and making it way back into the trillions. That's what happens when the republicans are in office.
If only that were really true....
Congress & the President were (are, have been) robbing Peter (income from Social Security taxes) to pay Paul (general Treasury debt).
The whole thing is a scam, no matter which party is in office.
When Clinton was in office it actually went down to zero and then into the black
The Gov budget went into the black<nobr> <wbr></nobr>... meaning that Gov revenues exceeded Gov spending for a couple of years. The total Gov debt wasn't even dented.
The good time in the 90's were a result of the post Gulf War economic boost<nobr> <wbr></nobr>... history reveals that economic boosts always follow a good war<nobr> <wbr></nobr>... time for another good one<nobr> <wbr></nobr>... you can always rely on the Bush's
And just who gets the gross over profits from closed source software<nobr> <wbr></nobr>... most of it goes to the marketers
Yes, but how much does it actually costs in time and money to make it? The costs should cover that. These products are building of free labour, unpaid work.
"And just who gets the gross over profits from closed source software<nobr> <wbr></nobr>... most of it goes to the marketers"
No, most of it goes to salaries for the people developing.
No, most of it goes to salaries for the people developing
Oh<nobr> <wbr></nobr>... I guess that's why MS has $40B in the bank and Bill's the richest asshole in the world.<nobr> <wbr></nobr>... last I heard he wasn't giving it back to his software engineers (SEs)<nobr> <wbr></nobr>... BTW do you know any rich SEs at MS<nobr> <wbr></nobr>... I only hear stuff from the rich MS pointy heads.
Your point is as crazy as saying the profits from your local electric company go into the EEs pockets, therefore we need higher electric bills and who cares if there isn't any competition for your electric service. This is dead wrong<nobr> <wbr></nobr>... electric utilities are not run by EEs and they aren't even close to the highest paid employees. Same for software companies. But at least the electric companies are highly regulated to protect customers.
Every time I buy milk at the grocery store I put bucks in Bill's wallet<nobr> <wbr></nobr>... who's software does the the grocery store chain run<nobr> <wbr></nobr>... how about the distributor<nobr> <wbr></nobr>... the trucker<nobr> <wbr></nobr>... or the farmer. Their software costs are bundled into the $ I pay for my milk.
Wake-up already!!!!
Software should not be a monopolized product<nobr> <wbr></nobr>... it should be a competitive service. I'm sorry but SE work like everyone else in the world and get payed an hourly wage<nobr> <wbr></nobr>... they're not the one's who get rich by locking captured customers in jail and sucking money from their guts.
You heard that from someone who doesn't know what he or she talks about.
"... BTW do you know any rich SEs at MS<nobr> <wbr></nobr>... I"
Yes, there are lots. No company on the planet have generated so many dollar millionaires as MS, and lots of them are software engineers. A big part of people’s salaries on Microsoft is connected to the sales of the products they work on.
"I only hear stuff from the rich MS pointy heads."
You have simply been given the wrong information.
"Every time I buy milk at the grocery store I put bucks in Bill's wallet "
So? You put money into the drivers who deliver the milk from the farms to the milk producer and from there to the store as well. There are a number of people working on giving you that milk, is it supposed to be wrong to pay them all? If software is needed or gives advantages in the process that should be paid for as well.
However, my posts are still not about Microsoft vs. Linux.
I simply state that we in the IT-industry as a large has serious and horribly revenue problems at this point.
The recession matters of cause since spending goes down. It's, however, not as big factor as the fact that the value in products and services has been dumped. In most cases venture capital has been used to cover for the loss made by the price dumps, the revenue has been smaller than the salaries that needs to be paid out alone.
It's not healthy business, that’s all there is to say about it really and there must be a genuine change in how business is done if this industry should ever be able to get out of this mess.
No company on the planet have generated so many dollar millionaires as MS
So what is the average SE's salary at MS<nobr> <wbr></nobr>... isn't no different than any other company<nobr> <wbr></nobr>... and did MS's $2.6B
- profit
part of people salaries on Microsoft is connected to the sales of the products they work on.
This is not unique to MS. Most companies use profit sharing or goal programs to stimulate employee productivity.
So? You put money into the drivers who deliver the milk from the farms to the milk producer and from there to the store as well. There are a number of people working on giving you that milk
Yes I do<nobr> <wbr></nobr>... and it's a fair price in a competitive market. The richest person in the world is not a truck driver or a person that owns a trucking company. There is fair competition in these markets which in turn provides a natural price regulation and normal profits on investment<nobr> <wbr></nobr>... The richest person in the world is an asshole who monopolized the software market using brutal marketing practices and closed source software as his ultimate weapon. Closed source software is designed to lock in, monopolize and abuse customers. THERE IS NOT FAIR COMPETITION IN THE SOFTWARE MARKET!!!!
I simply state that we in the IT-industry as a large has serious and horribly revenue problems at this point.
At this point like every other industry. I feel it is the abuse that the IT-industry and closed source delivered to the unknowing customers and investors in the 90's that has precipitated much of the recent economic problems. I feel that it not only cost industry but stifled development. I see open source as a natural corrective result of the problems close source has wrought.
the revenue has been smaller than the salaries that needs to be paid out alone.
The natural result of any over heated industry that has abused it's position. However, like I said above MS still reported $2.6B in profit last year<nobr> <wbr></nobr>... god save the monopolist and his ultimate weapon, closed source.
I would like to add that I agree with you completely on that issue. A monopoly always stifle competition, a monopoly has no place in a free market.
"it should be a competitive service. "
It should be competitive services or products depending on what it is. Some software is more appropriate as products and some as services. Under no circumstances should there be monopol however.
of course they _were_ charging the government about $44,000,000 more than $1 for a comparable suite of applications<nobr> <wbr></nobr>:-)
http://www.business2.com/articles/web/0,1653,4046<nobr>4<wbr></nobr> ,FF.html
$4 million revenue after 10 years in business?
Posted by: Anonymous Coward on January 30, 2003 06:50 AMRe:$4 million revenue after 10 years in business?
Posted by: Anonymous Coward on January 30, 2003 07:06 AMRe:$4 million revenue after 10 years in business?
Posted by: Anonymous Coward on January 30, 2003 09:18 AMTheir margin is the one of a honest and sustainable business, and their size is large enough to weather a storm but not too large to become impersonal.
I believe the future belongs to companies like that one
(I myself employ 7 people, have been in business for 16 years, and ever since we started we are growing by about 20% per year without any setbacks. Wouldn't change chairs with any CEO no matter how big the company)
Now microsoft is stealth but it is point less. Since the hacker can have the same version os and spend hours going over it looking for holes.
I have set up linux systems but with different patchs parts removed and other changes it get verry hard to guess if the attack that is publised will work or it might not because the system has changed and you have just waved a red flag at a bull by using it.
I have seen the cloud that linux can putup and it is impressive.
Now I would like to say one thing never every say that you have never been broken it to. Just it has not happened yet. As rules is what can happen will happen at some stage. It would be better to say we have never had any major breakins.(You might or might not had some minor ones that never got important data). Less of a challage factor and harder to beat. So you have a better chance of not having you reputation damage
2) Offer professional services and support based on this free stuff that has a reputation for reliability and "getting work done with little fuss"
3) Profit!
hehehehe.
There is examples of business-models without "1) Write free stuff" where the actual software is written by others for free (free labour).
Microsoft is currently the biggest competitor in many Federal government software applications because they have a CC EAL4 certification and nearly everyone else doesn't.
Linux is less secure and less reliable. The Government said so.
Security Enhanced Linux
and ask why NSA (National Security Administration)is doing this with LINUX and not Microsoft?
read here: http://www.nsa.gov/selinux/
Also why is the new Department of Homeland Defense using Linux?
Re:U know NSA's SELinux? MS is NOT secure!
Posted by: Anonymous Coward on February 03, 2003 04:31 PMNo one has yet submitted SELinux to the Common Criteria test suite. Therefore, according to the NSA's own directive, it cannot be used in federal applications dealing with sensitive data.
Only operating systems with CC EAL4 ratings or higher can. Microsoft Windows qualifies; Linux (even SELinux) does not. Therefore, the government does not consider Linux secure enough for its operations, whereas it does consider Windows secure.
Also, the NSA has decided not to make any more open source releases because they consider the GPL to be too risky. Don't expect to garner a lot of support from them in the future.
In this era of paranoia about "cyberterrorism", CC certification will likely become a requirement across the board, in both government and business. That puts Linux out of the game entirely...
Re:U know NSA's SELinux? MS is NOT secure!
Posted by: Anonymous Coward on February 03, 2003 06:58 PMShame that Slammer, Code Red etc hasn't put Windows out of the game entirely too. The "patch and repatch" culture just isn't working any more.
Re:U know NSA's SELinux? MS is NOT secure!
Posted by: Anonymous Coward on February 03, 2003 09:40 PMThen I assume Linux is out of the question? Have you checked out the patch list for Linux each week? The number of patches for Linux on a weekly basis is not few and a major part of them are security related.
If you want few patches and high security you shouldn't use windows or linux, you should use something like AS/400 or openVMS. Those products have much longer beta periods and releases are few but well tested.
Windows and linux release much and often which you just can't combine with highest possible security.
Re:U know NSA's SELinux? MS is NOT secure!
Posted by: Anonymous Coward on February 05, 2003 09:02 AMAs another poster on the thread was trying to get across (I think)... from their web page at openbsd.org - OpenBSD is now doing some development work for DARPA and the USAF under an agreement between the OpenBSD group and those government agencies (in conjunction with the POSSE project at UPENN). It is possible that some of the technologies they might develop could end up being proprietary (well, at least not released to the public as other OpenBSD code is) because of the nature of the BSD licence. But in the end the OBSD developers will learn a great deal from this kind of research and that can only make the other parts of OBSD that we get access to better - more stable, more secure (as if it's not enough of both of those already). I haven't heard of DARPA making any deals with MS to research computer related security recently - well, perhaps it wasn't reported, those pesky media types were too busy getting their sound bytes and column's worth from the events related to SQL Slammer or Code Red or Nimda... I think my point here is made.
And who's to say - the NSA could well be investigating or working with any of the BSD groups or just taking their code and building the kind of functionality into it that they were attempting with SELinux. Under the BSD licence they are not obligated to release any code mods back to the commons as the GPL requires, and because they are the NSA, I'm quite certain that there's lots of stuff that they do that none of us are aware of, perhaps including still doing work on SELinux but not releasing their work. I don't know that the GPL imposes some kind of time limit on the release of the work, they could have the project (SELinux) nearly complete and 10 years from now they will comply with the GPL and say "It really wasn't ready for prime time until just now". The GPL doesn't force you to release your changes to GPL code if you are just tinkering - at least according to the legal counsel for the FSF, Eben Moglen - see here: <A HREF="http://www.gnu.org/philosophy/enforcing-gpl.html">http://www.gnu.org/philosophy/enforcing-gpl.html</a gnu.org>
So sometimes those certifications are rather pointless, and as already noted, they might only be within the financial means of for-profit companies who are willing to spend the money necessary to certify their wares. Also, many times the OS (this is probably true of almost any OS) can only manage to pass those certifications when stripped down to such an extent that it's barely useable once you're done. Do you think that Windows passed with Windows Networking (NetBEUI) and file sharing enabled? Put it this way, would you rather run OBSD or WindowsXX on your servers? I already know what's running on mine, and I'm quite proud to say that I have supported the OpenBSD project for some time now, with purchases of the OS on official CD's (3), T-shirts (3), and posters(2). I only wish I had a budget that allowed me to donate some cash outright, or perhaps to pay for some development effort that would be important to me. If you believe that Windows is more secure than some other OS because of those certifications then by all means keep buying it and running it.
I take this philosophy with my choice of OS, because I want one that is secure as it can be within reason: There are some groups (luckily for us many are developing free software) who take great pride in producing RFC-compliant, robust, reliable and proactively secure software, at a level that some outsiders might consider rather paranoid or maniacal. Ultimately I don't know what motivates the people involved, but I like to think that for some it is because they believe that there is value in that development model and they feel personally rewarded for being engaged in that kind of pursuit. Microsoft will do it because it (security) is the cause du jour and it can be financially rewarding for them, and financially disastrous if they were to ignore the outcry for security improvements in their software. And in the end perhaps they will win out in this battle, but it won't be for lack of trying or skill on the part of their competition, it is more likely to be because they got bulldozed by MS's money machine or PR-FUD machine, whether the competition is Linux, XXXBSD, Mac OS, Solaris etc.
Re:U know NSA's SELinux? MS is NOT secure!
Posted by: Anonymous Coward on February 05, 2003 03:01 AMCertification costs money. Micro$oft can buy credentials, most open source projects can't even afford to be evaluated. Maybe this will change with TrustedBSD.
Also, the NSA has decided not to make any more open source releases because they consider the GPL to be too risky. Don't expect to garner a lot of support from them in the future.
GPL is not the only open source license. Some open source is freely available without legal question marks, look at www.openbsd.org and www.trustedbsd.org.
Try to manage some small amount of education on an issue before making an ass of yourself.
never been hacked
Posted by: Anonymous Coward on January 29, 2003 05:20 PM???
#