Open Solutions Alliance Takes Aim at IP Risk

Interoperability, intellectual property and
security are among the perceived barriers to adoption for open source software. With the help of one of its members, the Open Solutions Alliance is now aiming to solve all of those issues in one swoop.

As part of its requirement for membership to the OSA, which launched in February to promote and develop interoperable open source solutions, Palamida is now offering to scan the interoperability-related code of OSA members for potential intellectual
property (IP) and security issues. Members include Jaspersoft, Hyperic, EntepriseDB, Spikesource, Adaptive Planning, OpenBravo, Groundwork, CentricCRM, SourceForge.net, Collabnet, Black Duck and Unisys.

Theresa Bui Friday, vice president and co-founder of Palamida, said that enterprise customers typically don’t have a way of
identifying all of the third-party products and open source software they have
in their codebase, which can lead to unpatched software. That’s where
Palamida’s solutions come in and identify what software is in use and what
vulnerabilities have been reported against that software.

“Enterprise customers no longer need to think about open source applications
as something different than any other kind of application they bring in,”
Bui Friday told internetnews.com. “An application is an application and it doesn’t matter if it’s open source or not.”

Palamida will use its IP Amplifier intellectual property analysis software and its Vulnerability Reporting Solution (VRS) to confirm whether member companies’ IP is clean and that security issues have been addressed.

IP Amplifier scans source code for source and licensing
requirements and can also be used to “code print” source code, so the
code can be identified if it shows up in another application.

Bui Friday explained that Palamida also provides an IP ingredients report as
part of IP Amplifier. It allows an OSA member company or its clients to see a list of open source components that are used in an application, as well as
the license information associated with the various components.

One thing IP Amplifier will not do, however, is identify any potential patent
risk associated with an OSA solution.

“We don’t work in patent risk,” Bui Friday admitted. “Frankly we don’t
recommend that is something you leave up to software to determine. Patent
issues are really best left up to lawyers that can make a legal
determination on patent scope.”

Palamida will also be helping to identify security risks within OSA
solutions. Palamida’s VRS solution scans code against a list of known
publicly reported vulnerabilities in order to determine if there are any
risks.

The Palamida solution doesn’t proactively discover or identify
any new vulnerabilities in the source, as it is not a code-vulnerability-scanning solution such as those from Coverity and others.

Palamida’s contribution to OSA may well help to accelerate
adoption and even make is easier for vendors and enterprise to indemnify
open source solutions. Bui Friday noted that when you go through the process
of identifying code sources and security risks, that provides transparency
which enables organizations to provide indemnification more clearly.

“The success criteria for us is aligned with OSA’s success criteria in that
you don’t blink as an enterprise in adopting open source apps, you review
them on the merits of what the application can do,” Bui Friday said.
“Palamida’s role is that if we can take away any of the questions or
hesitation than we consider that successful.”