Palamida Launches Code Vulnerability Reporting Tool

Apr 28, 2007

The VRS package enhances CTOs' control over their companies' software by pinpointing known security risks in open-source code, Palamida says.

SAN FRANCISCO - Software intellectual-property management services provider Palamida on April 27 introduced a new service that works to identify vulnerabilities in an enterprise's open-source code.

The announcement was made at the annual Gartner Symposium/ITxpo: Emerging Trends at the Moscone Center here.

Palamida's Vulnerability Reporting Solution works as a plug-in to the company's code audit compliance solution, IP Amplifier, to "identify, prioritize and spotlight the location of known vulnerabilities" in open-source code, a Palamida spokesperson said.

Palamida's library contains more than 3 terabytes' worth of content, including 140,000 OSS projects, 780,000 versions, 7 billion source code snippets, 10 million Java namespaces, 500 million binary file IDs, and Java, C/C++, Perl, Python, PHP, C# and VB signatures, the spokesperson said.

The VRS uses data from the National Vulnerability Database, a comprehensive cyber-security database sponsored by the Department of Homeland Security and run by the National Institute of Standards and Technology and MITRE.

The National Vulnerability Database integrates all publicly available U.S. government vulnerability resources and provides references to industry resources for the purpose of assisting with remediation efforts. It currently contains over 23,700 known vulnerabilities, 89 US-CERT issued alerts and 1,900 US-CERT vulnerability notes, and has a publication rate of approximately 18 new vulnerabilities per day.

Readily available code resources, the increase of geographically distributed development teams and ever-increasing time-to-market pressures have resulted in the blending of homegrown, third-party and open-source components, the spokesperson said.

The sheer size of a code base coupled with the number of contributing developers makes it difficult for companies to get an accurate assessment of their software assets.

"Successful IT Governance requires risk mitigation at the code level. Customers should be utilizing vulnerability analysis solutions to identify and remediate application risks," Palamida CEO Mark Tolliver said. "The VRS works together with vulnerability analysis solutions to bridge the gap between proprietary code analysis and complete code analysis."

Most companies operate without any knowledge of exactly what their software is made of and whether or not it contains security risks. The root cause of many application security vulnerabilities resides in the code base - an area that traditional security software cannot protect, Tolliver said.

Existing vulnerability analysis solutions scan customers' proprietary code to identify potential vulnerability holes such as buffer overrides and network and intrusion detection gaps. They also highlight violations in secure coding practices.

The VRS, on the other hand, augments the IT governance process by scanning the customer's code base and pinpointing the existence of open-source content, highlighting any known vulnerabilities and delivering a prioritized report to assist with remediation efforts, the spokesperson said.

Michael Cote, an analyst with RedMonk, told eWEEK that the important thing in this release is that it builds on the code auditing that's already in the Palamida platform.

"It's true that there are a handful of vendors that work in the same space, but Palamida is approaching the sector in their own way technologically: building up the database of open-source projects, and then layering on more software auditing and 'health checks,' " Cote said.

"What I like about the code auditing and code-health approach that companies in this problem space do is that it lets developers work at the fast pace they'd like to without being slowed down by manual auditing processes," Cote said. "Adding in things like venerability checking adds more value to these platforms in that the platform is further automating previously manual processes."

San Francisco-based Palamida and Black Duck Software, headquartered in Waltham, Mass., are the primary companies working in this space today, although other entrants are likely to emerge, Forrester Senior Analyst Michael Goulde told eWEEK.

"Their products and services address two of the leading concerns many companies have about software in general, not just open-source software: security and intellectual property rights," Goulde said.

The two companies have taken somewhat different directions in terms of the markets they address and their go-to-market approaches, Goulde said.

"What they're doing is more than code searching," Goulde said. "They need to identify and flag specific issues by using a wealth of data they've collected from a variety of sources. It isn't good enough to know that a particular piece of code is being used, because in one context that can be perfectly OK and in another, there can be serious licensing or IP issues. So putting all the pieces together to present a complete picture is what both companies are trying to do for their customers."

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Android gains in US, basic phones almost extinct

add to favorites email to friend print save as pdf

Related Stories

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Three things to do to protect from Heartbleed

Apr 11, 2014

The "Heartbleed" bug has caused anxiety for people and businesses. Now, it appears that the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

Recommended for you

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...