Ask not what open-source software can do for you, but what you can do to ensure you’re using open-source software wisely and securely.

That was the message among speakers and attendees throughout the week at the Open Source Business Conference in San Francisco, where the focus was on best practices for using open-source software inside of large businesses.

Jeffrey Hammond, principal analyst at Forrester, asserted that 2009 was a watershed year for open source in enterprises. In 2008, he said, most of the questions he received from customers were about the careful adoption of open source. Those questions vanished last year, replaced by questions about mobile development. This, he said, is an indication that businesses finally understand open source and feel comfortable using it.

Hammond said that developers have long driven the adoption of open-source software in enterprises. He also said that this has resulted in a profound shift in how companies purchase software for development use.

“What’s happening is we’re seeing the move in enterprise software from a price-skimming model (where companies make lots of money, but have very few customers) to a price-penetration model, where it is easy to acquire, easy to install, and it becomes a community,” said Hammond.

This shift is the direct result of licensing woes, he said. If developers are using all of their paid-for licenses in production and they need to spin up a new server to meet demand, they have to go through the bureaucratic purchasing processes of their own organizations, and those of their vendors, to legally bring that new server online.

When it could take as long as eight weeks to fulfill a purchase order for software, it often takes but 15 minutes to download an open-source alternative, so developers will usually choose the latter, said Hammond.

Hammond also advocated the use of internal repositories for storing approved open-source code. “Maintaining a repository of accepted open-source software components is better than letting developers go out there and use anything they can find,” he said.

Bob Sutor, vice president of open source and Linux for IBM, gave a keynote address in which he enumerated the criteria by which open-source projects should be evaluated. His talk highlighted the problems that can arise when organizations choose the wrong open-source project around which to standardize. He also advocated the creation of a company-wide open-source governance plan.

“A lot of open-source projects can be traced to one person. You get the good and you get the bad. Think about software as you might think about a company,” Sutor said.

“You’ve got to look at the people. How long are they going to be around? Are they going to flip out and leave me stranded? Run through ‘what if’ scenarios. What happens if the code gets abandoned? What happens if they get forked? Learn what other people have done with the code.”

Sutor added that open-source software should be chosen based on merit, not based on the fact that it is open source.