As companies and their in-house developers become increasingly aware of open source and its benefits, so the use of the latter in projects increases. But not all of that use is documented, or even official. That's a potentially serious problem, both in terms of licensing and security.
This has led to the emergence of a new class of companies that will audit just what open source code is being used in a particular project or company. It's a hot area at the moment, as the recent acquisition of the open source software search engine, Koders, by Black Duck shows.
One of the major players in this area is Palamida. Here its CEO, Mark Tolliver, talks about how painful personal experiences led to the company's creation, the kind of surprises they always find in people's code, and why using open source will get easier for companies.
GM: What's the background to the company's formation? Why did you feel there was a unfulfilled need in this area?
MT: For Palamida, the risks of undocumented code aren't purely theoretical. The company was formed in 2003 when the founders ran into this problem in their previous company. Before launching Palamida, they worked together at Cacheon, a now defunct enterprise software company.
On the verge of signing a major deal with IBM WebSphere, Cacheon's management team discovered that an engineer had used open-source code covered by the GPL (GNU General Public License) for a core part of its product. That discovery was a show-stopper for the co-development deal and required Cacheon to pull out the GPL’ed code, so that they would not violate the licence. But that required re-architecting the Cacheon product and delayed the IBM deal – which never restarted.
Interestingly, after the discovery, Cacheon put in place a “policy and procedure” which required its developers to request permission of open source use and required them to check-in third party code in a specified sub-directory in their source code management system. But periodic manual reviews of the code base, continued to identify undocumented code and licences, despite the new policy.
The founders realised that if Cacheon, a company with only 25 developers in-house and 15 outsourced, had this problem, what must a global company with 10,000+ developers be going through?
GM: What services do you offer? Which other companies offering similar services? How do you compare to Black Duck, say? Do you wish you'd bought Koders?
MT: Palamida provides application security solutions and services for open source software. With Palamida, organisations leverage the full benefits of open source by documenting software components in use and alerting appropriate stakeholders about associated vulnerability and intellectual property risks.
Palamida Enterprise Edition, our flagship product, is designed for organisations concerned with managing both vulnerability and intellectual property issues. Enterprise Edition provides a complete inventory of open source components, including detailed intelligence about associated security vulnerabilities and intellectual property information. Accurate detection ensures thorough risk management of all open source usage within mission critical applications and products.
Palamida Standard Edition is designed for organisations primarily concerned with security vulnerabilities introduced through undocumented use of open source components
Palamida Compliance Edition is for organisations whose primary concerns are managing open source license obligations, restrictions and conflicts.
Our Palamida Compliance Edition competes with other IP management solutions, such as Open Logic, Protecode and Black Duck. Companies typically choose Palamida because of our broader solution set, most importantly security vulnerability management, our broader detection capability and automated analysis capability.
Regarding Koders, it’s a good service, but there are a number of good sources for code search, including Google Code Search. As a small company you need to be sure you are working in areas where you can make a unique contribution.
GM: How typically do you work with companies?
MT: Companies typically integrate Palamida’s software as part their software lifecycle management – beginning with integrating our software into their existing build environment, so that automated code scans occur during the development and testing phases. Upon deployment a final inventory of open source use, including version and location, is logged and post deployment, security alerts are generated as new vulnerabilities are generated against the existing inventory of open source components.
Palamida’s services group is typically called in for short-notice or urgent audits and in those cases, we do a very comprehensive audit on a specific set of code outlined by our client, say, a code base that is the basis for an acquisition or the subject of a lawsuit. Palamida’s services team is also called to do audits of code bases for internally built applications to ensure compliance with policy and security mandates but overall, once an organization sees how valuable code auditing is to both the security and integrity of their code, they often integrate the solution directly.