By now you’ve probably seen HP’s FOSSology announcement. It’s an initiative that they say will, “…facilitate the study of Free and Open Source Software by providing free data analysis toolsâ€. It’s a welcome addition to the open source world, and is evidence of the growth of a robust ecosystem of tools and information. Open source is how software is done today.
For year-end 2007, we have compiled the Top 5 Most Overlooked Open Source Vulnerabilities encountered during 2007. We came up with this list after reviewing over 300 million lines of code and spending literally thousands of hours of analysis across a wide range of industries - including technology, financial services and government, among others.
Beginning in 2006, some customers of my previous company started inserting contract provisions requiring us to identify all open source software in use within the networking service we provided. As the VP of Engineering at the time, I told them that I stood behind the total service offering, regardless of which parts were open source, which were commercially licensed, and which were built by us, so they needn't be concerned about this. In each case they agreed and removed the provision. It is now clear to me that they should not have done so. Here's why.
Jeff Jones writes an ongoing security blog for CSO Online. A recent post about scrubbing and verifying data from repositories such as National Vulnerability Database caught our attention. In it, he takes a look at how difficult it can be to collect information about security alerts for projects such as the Linux kernel, verify whether or not customers are actually using the impacted modules given the wide distribution packages of Linux, and the accuracy rates on vulnerability reporting.
Last week, our CTO Ray Waldin participated in a webinar with Rob Jenkins from CollabNet and Eddie Correia from SD Times. The topic was "Two Steps to Centralized, Secure, and Auditable Source Code."
As part of the webinar, we conducted an online survey. Here are some of the more interesting results. (We're not for a minute suggesting these are in any way statistically valid):
How do you manage the use of open source in your code base today?
a. We don't use open source code - 38%
b. I don't know - 4%
Twice today... Maybe my new year's resolution is working...
Just saw this blog entry from Dana Gardner, talking about IP ingredients. I have been wanting to say more on the subject, but I think that Dana described it better than I could. We made this announcement in december, and set up IPingredients.org at the same time. Our hope is that we can start a dialog on the point that transparency in software content is a good thing, whose time has come. Obviously we have a commercial interest, but the notion is broader than that. If you think this idea has merit - visit IPingredients, and lets discuss how to move forward.
