Although many CIOs focus on license compliance when they discuss open source governance (and rightly so), experts...
say code vulnerability should also be a part of the discussion.
"There's a lot of open source out there in use," said Alex Fletcher, lead industry analyst at open source research firm Entiva Group Inc. in Silver Spring, Md. "The trend is finding out how secure the code is. It's out there. It's freely accessible. But how secure is it? How vulnerable? How well constructed and how well architected?"
Fletcher said open source governance is evolving very rapidly, but the adoption of top-down open source governance is very slow.
"Open source governance is on the table," Fletcher said. "Next up is, hey there it is. How secure is it? How do you determine the quality? Vulnerability scanning is really going to kick in. I don't see it from a trend perspective, but there is some movement there."
Tracking vulnerabilities in commercial software is a relatively simple task. Vendors typically offer support and distribute patches to their customers when they discover vulnerabilities. But open source code is the product of a very large community with no formal system for notification and patch distribution.
"The rate of change that's out there is one of the main barriers to adoption to open source," said James Dixon, chief technology officer at Pentaho Corp., an open source business intelligence company in Orlando, Fla. "The number of patch releases in all levels of the software stack is just an onslaught of patches. And picking and choosing which ones that are right to take is a difficult job because you don't want to make an assumption that you want all those patches all the time."
Dixon said dealing with open source code vulnerability manually is very ineffective. CIOs need to put a program in place and create policies.
Palamida Inc., a San Francisco-based vendor of software auditing technology, has added an open source code vulnerability assessment tool to its open source governance product. The company originally focused on helping independent software vendors and enterprises manage compliance with open source licensing.
"Licensed intellectual property management is important from a compliance perspective, but if I am a financial services firm I want to know, is there a piece of open source software running on my trading desk that I don't know about?" said Theresa Bui-Friday, vice president of business development at Palamida. "If so, I should be monitoring for patches for it. Most large organizations will have somewhere between 2,000 and 4,000 software developers working for you building proprietary software to run systems that are core to your company. For these enterprises, software applications are now a mix of components. It's no longer the days where guys sit down in a clean room environment and write their own code. They're getting components from a variety of sources, and in some cases we are using open source code."
Palamida's technology scans code, verifies its origin and compares it to a database of millions of components of software to provide known vulnerability and patching information about that code.
"Services like Palamida are useful to someone who is running a large data center because they would need to know a way of tracking all vulnerabilities applicable to the software running in their data center," said Vishwanath Venugopalan, enterprise software analyst at The 451 Group in New York. "Open source software is starting to be fairly widely used in infrastructure running in large data centers. To the extent that all the source code is publicly available, yes when there are vulnerabilities that are not patched they can pose a risk. Because they're publicly available, they can come to light faster and taken advantage of faster."
Michael Goulde, a senior analyst at Forrester Research Inc. in Cambridge, Mass., said there are a number of products that attack this problem. Palamida identifies the known vulnerabilities of the software you already have. Goulde said there are other tools, from vendors such as Coverity Inc. in San Francisco, that analyze code and try to ferret out potential vulnerabilities.
Goulde said vendors like Coverity appeal to software development organizations while governance tools like Palamida are about management. The value of the vulnerability assessment feature is tied to Palamida's overall ability to govern license compliance as well.
"It's all about risk management and risk mitigation," Goulde said.
Pentaho's Dixon said, "The Coverity products I've looked at, they attempt to exploit vulnerabilities in your system from the outside to make sure your application as a whole won't fail or surface its vulnerabilities. The Palamida approach is to find the defect in the Death Star by looking at the plans, rather than by throwing ships at it and attacking it at random points to find a vulnerability."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer