Palamida Expands Detection Capability to Include 431 Open Source Security Alerts
Company Publishes Top 5 Most Overlooked Open Source Security Vulnerabilities for 2007
SAN FRANCISCO, CA - December 10, 2007 -
Palamida™, the leader in software risk management solutions for open source, today announced the expansion of its Vulnerability Reporting Solution detection capabilities to include 431 open source security alerts - 148 of which are considered to have High-Severity Common Vulnerability and Exposures (CVEs) ranging from cross-site scripting and buffer overflows, to SQL injections. In addition, the company has also published the Top 5 Most Overlooked Open Source Security Vulnerabilities found in enterprise audits during 2007 - derived from an analysis of over 300 million lines of code across multiple verticals that include financial services, technology and government.
The popularity of open source software has created an environment in which engineers often embed a wide range of open source and third party components inside enterprise applications outside of the normal software procurement process. This ad-hoc and often undocumented supply chain makes it difficult for application security teams to maintain an accurate code inventory that allows them to proactively monitor open source projects for applicable security alerts and patch updates.
"Open source is inherently no more risky than commercial software,” said Mark Tolliver, CEO of Palamida. “The majority of open source projects provide a patched version to any issue within hours of discovery. Users of open source, however, need a way to quickly and accurately verify what components they are using and associate them with known vulnerabilities so they can retrieve updated versions. Without a mechanism in place to perform this function, organizations put themselves at risk for introducing security vulnerabilities into their code base."
The vulnerability library, the cornerstone of the Palamida Vulnerability Reporting Solution (VRS), is a database that contains signatures enabling unique detection of almost 2 million open source files with reported vulnerabilities. The library contains 431 reported vulnerabilities associated with the most common open source projects Palamida finds embedded inside enterprise applications. The VRS is detection and reporting software that discovers and identifies all unknown open source code inside internally developed enterprise applications, providing an immediate report on their existing vulnerabilities.
The popularity of open source software has created an environment in which engineers often embed a wide range of open source and third party components inside enterprise applications outside of the normal software procurement process. This ad-hoc and often undocumented supply chain makes it difficult for application security teams to maintain an accurate code inventory that allows them to proactively monitor open source projects for applicable security alerts and patch updates.
"Open source is inherently no more risky than commercial software,” said Mark Tolliver, CEO of Palamida. “The majority of open source projects provide a patched version to any issue within hours of discovery. Users of open source, however, need a way to quickly and accurately verify what components they are using and associate them with known vulnerabilities so they can retrieve updated versions. Without a mechanism in place to perform this function, organizations put themselves at risk for introducing security vulnerabilities into their code base."
The vulnerability library, the cornerstone of the Palamida Vulnerability Reporting Solution (VRS), is a database that contains signatures enabling unique detection of almost 2 million open source files with reported vulnerabilities. The library contains 431 reported vulnerabilities associated with the most common open source projects Palamida finds embedded inside enterprise applications. The VRS is detection and reporting software that discovers and identifies all unknown open source code inside internally developed enterprise applications, providing an immediate report on their existing vulnerabilities.
It allows users to further develop their security policies for open source use such as:
- Identification of all open source in the code base;
- Pinpointing its exact location within the code base;
- Measuring third-party code dependence;
- And tracking associated vulnerabilities.
The end result is a complete blueprint of all open source used across the enterprise code base.
For year-end 2007, Palamida has listed the Top 5 Open Source Vulnerabilities encountered in its audit practice during 2007. The vulnerabilities are associated with the open source projects Apache Geronimo, JBoss Application Server, LibTiff, Net-SNMP and Zlib. For more information about these projects and for patch and updates, please visit www.palamida.com/blog.
