Palamida provides products and services to address application security for Open Source Software (OSS) and enables users to take full advantage of the cost and development time benefits an OSS strategy can deliver.
In today’s software development environment, use of open source software has become pervasive, not just via the Linux operating system and well-known open source projects (SQL et al), but through the use of thousands of lesser-known components that are embedded in software projects. Through our work on the professional services side of our business, we have examined tens of thousands of software projects while helping customers with software acquisitions or internal compliance. During that work it is rare that we see newer applications that are less than fifty percent open source (measured by lines of code). The issue for firms is no longer “we’re using open source,” but rather “we know we’re using open source, we just don’t know what and where.”
For example, a recent well-known client asked for our help to verify the open source status of an upcoming release. They disclosed 335 open source components in use within their codebase and asked us to search for additional components. Our audit revealed a total of 838. So, in this case, the organization was unaware of almost sixty percent of the open source components within their application. This is typical. It is this “undocumented” (meaning unknown to you) use that has become the new gap in application security strategies.
The business issue is simply that you can’t manage and secure what you don’t know you have.
Open source software is, after all, just software. And software has vulnerabilities. So the first issue with undocumented software is that it may well contain known vulnerabilities. For example, in the spring of 2014, a vulnerability discovered in OpenSSL 1.0.1 (a cryptographic software library) known as Heartbleed CVE-2014-0160, affected millions of applications, websites, servers, etc. by allowing remote attackers to access sensitive information, such as security keys/passwords stored in memory. A patch was available quickly, but if you were not aware that you were using a particular open source component, you did not upgrade to the secure version. Open source communities are very responsive to reports of vulnerabilities, and post fixes quickly. But the problem remains that you can’t fix what you don’t know you have.
A second issue is intellectual property infringement. Here the point is somewhat more subtle. Open source software is licensed under a variety of licenses, many of which are quite permissive. Others, however, are restrictive, with implications that could place your organization in breach of the license agreement, and therefore subject to a claim of copyright infringement. Use of open source software has real benefits in terms of reducing cost and development time, but a strategy based on open source brings with it new responsibilities to properly manage and secure its use and thereby avoid unexpected data breaches and legal issues.
How Palamida’s Solution Fits Into the Enterprise
Palamida’s solution is a software product that is aimed at these two problems. It assists organizations with the management of open source use in their mission-critical development. It is normally part of an initiative within the development organization comprised of policy, education, process and tools.
The Palamida Enterprise Edition has two major functions. The first is an authorization and audit trail function that allows software developers to make a request for use of open source components, and then applies predetermined policy to the request to allow, not allow or pass on for further review. During this process, a record of the decision is created at whatever level of detail the organization decides is appropriate. If a request is passed on for further review, legal and/or security professionals can analyze the request and extend existing policy to cover this new case. The second function is a compliance scanning that automatically scans code under development and reports on the open source software that has been incorporated during development. Ideally this matches the authorized use, but the scanning function does not depend on prior knowledge and therefore serves as an external check on code content. If undocumented code is discovered, it can be submitted through the authorization process. To address the more immediate issues of vulnerability alerting, the system compiles an inventory of open source modules in use, and issues alerts when new vulnerabilities are reported against the components in use.
Why Is this Approach Better Than What Exists Today?
Since the pervasive use of open source is a relatively new development for most organizations, their systems for management are typically informal. In many cases this consists of having developers send an email to a specific individual with the name of the open source component used. Such an informal approach was realistic when few if any open source components were included in development projects, but in today’s world this represents a substantial business risk. The Palamida Enterprise Edition is based on a extensive library of open source components, over six terabytes in size (uncompressed). This library is updated continuously and is used as the basis of a sophisticated matching algorithm which enables multiple types of detection techniques including source, binary, Java namespace, license, copyright and version. This range of techniques, backed by the extensive library enables the Palamida Enterprise Edition to deliver accurate and detailed results that are simply not possible using string search or visual inspection.
Proprietary applications are a competitive advantage, and an open source strategy delivers both cost and time advantages to the development of these applications. However, the pervasive use of open source today requires additional diligence to ensure both the security and the legal status of the resulting applications. The Palamida Enterprise Edition is designed to serve as an essential part of the development process, enabling organizations to move forward with confidence with a productive open source strategy.