Open-source software is showing up in ever-growing percentages of applications, and the amount of open-source within those applications is increasing just as fast.

Developers are drawn to open source for a number of reasons: the fact that they can access the code within the components; the fact that there is a community of people creating, maintaining and securing that code; and the fact that they don’t have to create some functionality that already has been created.

So why has the uptake of open source on the infrastructure side lagged? I spoke with Mark Herring, CMO at Gravitational, a startup in the cloud infrastructure space that offers tooling that controls user access and secures application deployments for developers.

Herring put it this way: “I think we’ve become such an instant gratification world. I don’t want to go to find a machine; I don’t even know who to speak to in IT who can give me a machine. I need access. Let me just go and get a thing and use it.”

Developers, he said, believe developers. They are dubious of sales pitches and marketing claims. ‘The way they look at it is, ‘Let me go see what’s happening on Github… Let me see what the cool kids are using.”

A big reason for lag in adoption on the infrastructure side is that the need didn’t exist in the time of monolithic applications and in-house data centers. Running monolithic applications on in-house infrastructure is in many ways easier, because the company owns everything. Elastic-scale software that’s accessible creates way more complexity.

“From an industry trend, it’s a bit like the legacy problem,” Herring said. “As [companies] look at monolithic software and they go, ‘What are we going to do now as we rearchitect it,’ there is this new kid on the block called Kubernetes, and everybody wants to move everything to Kubernetes, and basically have infinite scaling. The trouble with that is one person’s Kubernetes is not another person’s Kubernetes. If you’re going to deploy something on GCP, or AWS, or Azure, well, it reminds me of the good old heyday at Sun — I come from Sun in the Java days — and it was ‘write once, run anywhere .. sometimes.’ It’s the same problem.”

Even before Kubernetes, the Hadoop data systems brought open source to infrastructure, and Docker, Puppet and Rancher followed suit, enabling developers to spin up instances of environments quickly and easily. People, Herring said, stopped looking at open-source tools for infrastructure as toys. “It’s a classic crossing the chasm,” he added. “It used to be a couple of Silicon Valley companies using it, and we’re starting to see the chasm has been crossed.”

One downside Herring mentioned is that not all open source is created equal, and there is bad open source in the world. So sorting through the chaff has been an impediment to uptake. “There wasn’t one major shift to open source; it was more just the flavor of going, ‘Ahh, this is where it’s at.’ The trouble is, you have to go and then dig through the morass of bad open source that’s out there.”

IT organizations seeking to bring open source into their infrastructure can use methods tried and found to be true by developers: Look for the number of stars the project has, the number of people in the community, the word-of-mouth ‘buzz’ about the project. Herring said, “You dont want to go and put all your infrastructure there and find there’s no one behind it.”

As for Gravitational, it has Kleiner Perkins money behind it, which Herring said shows “you’re not fly-by-night.”

The company now offers two products: Teleport, which is used for multicloud privileged access management; and Gravity, a tool to package cloud environments — including dependencies — to be delivered to on-premises servers or another cloud instance.

The biggest hacks occurring these days are from people coming into systems and stealing someone’s credentials to either siphon data or to plant ransomware. Because of the distributed nature of today’s application architectures, security is higher on the list of concerns than it was in the monolithic world. “What it means for a lot of developers out there,” he explained, “is, ‘Oh my God, I’ve got to do this and it’s a tax on the system. How do I find some people who have done that because I don’t want to write security code.'”