New IP tracker can trace over a million open source components

Often, organizations don't really know how much open software is installed in their organizations, or what security and licensing problems might lurk within. The latest edition of Palamida's software addresses this looming issue.

At the Interop conference in New York City this week, Palamida Software is launching the latest edition of its product for locating open source code in organizations and identifying associated licensing issues and security vulnerabilities.

Palamida is also naming three companies -- Wyse Technology, Magnum Semiconductor, and Pentaho -- as among the list of 150 or so customers for its commercial software, said Theresa Bui Friday, Palamida's VP of product marketing and co-founder, in a briefing for BetaNews. "When we first got started in 2003, we developed software to help customers manage open source software and its IP implications."

In 2007, Palamida started adding information about security problems to its catalog of data about open source components and associated software licenses.

In one recent scenario, a customer had created an inventory of 300 open source components. After running Palamida Enterprise Edition, however, the organization identified an additional 550 open source components installed somewhere in house, Friday illustrated.

"So of the total of 850 components, there was no 'institutional memory' of 500 of them. Developers had brought them in at various points [in time], but the [current] CTO was unaware of them," she elaborated.

As an example of just one potential security bugaboo in open source software, Friday mentioned a flaw in early versions of liptiff LibTIFF, a widely used open source library of functions for manipulating TIFF (Tagged Image File Format) image format files.

In the latest release of its commercial software, being rolled out at Interop, Palamida has greatly expanded its catalog to cover 1.1 million open software projects, BetaNews was told.

Much of that growth happened through a recent agreement with the SourceForge open source software forge to mirror that site. "This gives us a more automated [data] collection harness. We also have spiders that crawl the smaller [software] forges, and we do manual [software] identification and [information] collection with some of our customers," the Palamida VP said.

Also new in the latest edition is electronic delivery of vulnerability updates, along with composition mark-up capabilities for tagging and tracking of individual open source files. Through composition mark-up, organizations can follow open software components over time to more easily determine who brought a component into an organization, how it's been used, and whether it's still even needed.

"Electronic delivery has brought a real sea change for us," Friday remarked. "Before, an organization would hook us up at build time, and we would report on any issues so you would be clean at the time of deployment. But we stopped there."

In the new edition, Palamida streams out new data about new vulnerability discoveries since the open source deployment, along with severity ratings and data about patches and other mediations.