RealTime IT News

Open Solutions Alliance Takes Aim at IP Risk

Interoperability, intellectual property and security are among the perceived barriers to adoption for open source software. With the help of one of its members, the Open Solutions Alliance is now aiming to solve all of those issues in one swoop.

As part of its requirement for membership to the OSA, which launched in February to promote and develop interoperable open source solutions, Palamida is now offering to scan the interoperability-related code of OSA members for potential intellectual property (IP) and security issues. Members include Jaspersoft, Hyperic, EntepriseDB, Spikesource, Adaptive Planning, OpenBravo, Groundwork, CentricCRM, SourceForge.net, Collabnet, Black Duck and Unisys.

Theresa Bui Friday, vice president and co-founder of Palamida, said that enterprise customers typically don't have a way of identifying all of the third-party products and open source software they have in their codebase, which can lead to unpatched software. That's where Palamida's solutions come in and identify what software is in use and what vulnerabilities have been reported against that software.

"Enterprise customers no longer need to think about open source applications as something different than any other kind of application they bring in," Bui Friday told internetnews.com. "An application is an application and it doesn't matter if it's open source or not."

Palamida will use its IP Amplifier intellectual property analysis software and its Vulnerability Reporting Solution (VRS) to confirm whether member companies' IP is clean and that security issues have been addressed.

IP Amplifier scans source code for source and licensing requirements and can also be used to "code print" source code, so the code can be identified if it shows up in another application.

Bui Friday explained that Palamida also provides an IP ingredients report as part of IP Amplifier. It allows an OSA member company or its clients to see a list of open source components that are used in an application, as well as the license information associated with the various components.

One thing IP Amplifier will not do, however, is identify any potential patent risk associated with an OSA solution.

"We don't work in patent risk," Bui Friday admitted. "Frankly we don't recommend that is something you leave up to software to determine. Patent issues are really best left up to lawyers that can make a legal determination on patent scope."

Palamida will also be helping to identify security risks within OSA solutions. Palamida's VRS solution scans code against a list of known publicly reported vulnerabilities in order to determine if there are any risks.

The Palamida solution doesn't proactively discover or identify any new vulnerabilities in the source, as it is not a code-vulnerability-scanning solution such as those from Coverity and others.

Palamida's contribution to OSA may well help to accelerate adoption and even make is easier for vendors and enterprise to indemnify open source solutions. Bui Friday noted that when you go through the process of identifying code sources and security risks, that provides transparency which enables organizations to provide indemnification more clearly.

"The success criteria for us is aligned with OSA's success criteria in that you don't blink as an enterprise in adopting open source apps, you review them on the merits of what the application can do," Bui Friday said. "Palamida's role is that if we can take away any of the questions or hesitation than we consider that successful."