Palamida Analyzes Open Source Code for Hidden Vulnerabilities

Highlights vulnerabilities in open-source code; new version adds larger knowledge base, pro-active alerts

• By James E. Powell
• 09/17/2008

Open source code is popular among developers because of its low cost, wide availability, and active support forums. What developers may fail to recognize is that such code may be open to security vulnerabilities. Worse, enterprises may not even know their code contains open source components, assuming the code is even documented (oftentimes it’s not), adding to the risks. To mitigate those risks, Palamida, Inc. recently updated its Palamida Enterprise Edition to version 3.0 which it will release at the end of this month.

“It’s this lack of knowledge that can be so dangerous,” Mark Tolliver, Palamida’s CEO, told Enterprise Strategies recently. “One of our clients thought that in their project (which contained over 60 million lines of code) they had about 300 open source components. In fact, after our program analyzed their code, they discovered the number was 850. Furthermore, they learned that somewhere between 60 and 65 percent of the code in their application derived from open source, a figure that was higher than expected.”

Wyse Technology put Palamida to the test with the Wyse Linux V6 code base (Wyse Linux V6 is the company’s own private Linux distribution which they developed for their thin clients), according to Anthony Armenta, vice president of engineering at the company.

“There are close to 200 open source components from which we built Wyse Linux V6. Because we built [it] from scratch, we had a pretty good idea how many components were in the build,” Armenta told Enterprise Strategies via e-mail. The company chose an earlier version of Palamida to keep track of the origination and licensing terms behind each open source component.

“This was quite revealing; we ended up learning a lot about the variety of licenses under which open source is distributed, and how better to comply with those licenses, while protecting the IP [intellectual property] that Wyse creates. We have changed some coding practices to better protect our IP while respecting and complying with open source community obligations.”

As a result, Armenta continues, “The Palamida tool has already become part of our software lifecycle management process.” He expects that the company be able to use the new security and vulnerability features “which are critical as we as we develop our next generation of Linux-based thin clients (Wyse Enhanced SUSE Linux Enterprise) in partnership with Novell.”

In addition to the vulnerability status reports and IP compliance reports offered in earlier editions, version 3.0 of the application security tool offers online alerts about vulnerability updates (via e-mail alerts in what the company calls “near time,”), including updates from the National Vulnerability Database, as well as a vastly expanded Data Library. "We updated the library from 3.1 terabytes of known problems to 6 terabytes. That covers over 1.1 million open source versions that we can identify, including project information." Tolliver adds that the company lists over 29,000 vulnerabilities in its database and 13 million Java namespace names.

Version 3 also adds a “composition markup” feature that lets developers “annotate and tag all files and directories -- from open source, proprietary, third-party commercial, and outsourced developers -- creating a permanent record of software composition and minimizing the security gap arising from undocumented code.”

John Wunder, director of engineering at Magnum Semiconductor, told Enterprise Strategies via e-mail that his firm used Palamida to analyze over 35GB worth of data. “We thought we had four separate packages in the build but discovered two sets with vulnerabilities. No vulnerability, no scan result obviously. They each had their own individual vulnerabilities that needed [remediation].

“We just didn’t know there were three packages of the same code base,” Wunder says. “Because of the development cycle, this is legacy and it is deep in the code base. We only found out about it because the Palamida product could scan binaries.” Otherwise, he says, “we couldn’t protect our customers and ourselves from potential vulnerabilities that could have extremely serious consequences. We are able to have a management response function that allows us to protect ourselves from future legal action. How can we respond if we can’t find it? That’s what Palamida allows us to do.”

More information is available at http://www.palamida.com.