Tuesday, March 31, 2009

Idealware releases new CMS report


So Idealware released the much anticipated CMS report covering Wordpress, Drupal, Joomla and Plone. Overall it is a must read and all around general "reference for the ages."

I'll start with the nit picks and then get to the good stuff.

First, the "market analysis" fails what my ex-boss used to call the smell test. Sure the methodology is perfectly defensible, but the result is no where near reality. The 10,000 pound gorilla is Wordpress, not Joomla. Even though Joomla has a lot of traction in the traditional NPO world, I find it hard to reconcile the numbers. Plus, in most of the rest of the world the word "charity" is used instead of "nonprofit" so you might want to also inculde that keyword.

The security methodology appears to be just plain wrong. It appears that platforms with more security advisories are considered less secure. I'll hope that the actual methodology was different, but if not, it shows a fundimental misunderstanding of how open source security works. 

The starting point is that there will always be bugs and security flaws in released software. The security of a platform is measured by the significance of those flaws and the speed at which they are resolved.

There can be both good and bad reasons for a high number of announcements.

Bad
(1) Code quality is poor - more security flaws are released in the the wild

Good
(1) A larger community of people is testing and therefore identifying security vulnerabilities.
(2) The community standard for what constitutes a security vulnerability is more stringent than a comparable project.
(3) A more transparent security process. No security problem is ever fixed without the release of a security advisory.
(4) The lifespan of security issues is very short... no security issues "linger" after they have been identified.

In general, the number of security advisories is a flag to look a bit deeper. High numbers of advisories can be either good or bad, you need to dig deeper to draw a conclusion.

The good stuff is the financial model behind the report. The ad model is really a quite good one. Since charities don't have the money to actually buy the report, get the consulting shops to buy advertising.

I think they should take it one step further. There is little upside to ad sales to cover the production of a report + surplus. Idealware has a good neutral reputation. They do a good job of maintaining it.

Why not broker leads to companies? All the idealware information is "hidden" behind a registration wall. Idealware's interactions with information consumers provide an opt in for vendors to communicate with them. Those opt in leads are sold to vendors. 

This is a lot more involved than the ad model, but has a much higher upside as your volume goes up. Haven't done the numbers to see if this is really viable and don't have a solid sense of what the consulting firms would pay, but I suspect it would work.

1 comment:

Laura S. Quinn said...

Thanks for your comments, David! I just plain disagree with you that security vulnerabilities are a poor security metric. It's a rough metric, yes, but useful. More here.

And yes, the ad model worked out well for this report. There's a limited number of topics that consulting firms would support in this way, I think, but this was certainly one of them.