Palamida Moves Beyond IP, Empasizes App Security
When Palamida was first founded in 2003, their business model seemed rather... familiar.
After all, it had only been a year since another IP license management service, Black Duck, had been created with the goal of helping companies identify open source software in a customer's organization and then provide resources to allow customer's to manage the complexities of license management for open and proprietary licenses. At the time, I must admit, Palamida seemed like a bit of an also-ran.
Now, five years later, Palamida is still going strong... albeit under a cloud of increasing concern from the open source community.
The perception about Palamida, Black Duck, and now the community project FOSSology held by many in the community is that somehow these organizations cast a pall on open source software. By locating open source in their client's IT infrastructure, they seem to be enabling the removal of such software.
This perception has been recently reinforced by McAfee's annual report, which warned investors that the presence of open source software in their products might be an unanticipated risk for the company. I personally have seen similar disclaimers in the early documents of a software firm prepping for its IPO. It seems that this meme of "open source might be a risk" is, unfortunately, catching on.
So it's easy to see why some might look at Palamida with a jaundiced eye. However, when I spoke with Palamida's CEO Mark Tolliver and VP/Marketing & Co-Founder Theresa Bui Friday late last week, they assured me that in fact the opposite was true: that locating open source was not about finding something that was taboo--it was about assisting clients in fully maximizing the open source they had.
I came to this briefing with more than a little skepticism; after all, intellectual property (IP) issues have existed for proprietary licenses for quite some time. How do you create a cottage industry solely for open source and then not have people wonder if there's something "wrong" with OSS?
As the Palamida execs described it, the problem is not that open source software is bad. In fact, it's the strength of open source, as well as its unique distribution method, that creates problems for companies.
In pre-OSS times, Friday explained, software procurement was often an arduous, bureaucratic process that usually took a long time and a lot of paperwork to deal with. In such instances, it was not hard to determine what software you had in your company. Just follow the procurement paper trail.
Today, developers and IT workers can surf the Web, find, and download any software they need. Often free, and often immediate. That's the beauty of OSS, but it often means that quite a bit of software can get into a company without going through the front door.
The other half of the "problem" with open source? It typically works too darn well. Often, workers will pull down some OSS code to handle a task, configure it, and set it running. Since most OSS code is highly robust, quite often you get into a situation of "set it and forget it," Friday said. Since it rarely crashes, people will literally forget the code is there.
(Insert snide remarks about forgetting about installed proprietary software here.)
You might think this is one of those problems that nice to have, and it is, but only to a point. Even though OSS is typically very stable, it is not invulnerable. And it those vulnerabilities that need patching or replacing from time to time. But if you have OSS and don't know it, you may--over time--be leaving your systems exposed to some nasty things.
This notion of protection from security vulnerabilities in "hidden" OSS code is a new emphasis of the Palamida message. They're still dealing with customers' IP issues, Tolliver explained, but now IP management is just one part of the bigger concern of managing OSS.
"It's been a while since it's just been about license detection," he added.
How bad is this vulnerability problem? To date, Tolliver told me, when Palamida goes through a line-by-line code examination of a client's software, "it's rare when we find less than 50 percent of the software is open source." Based on this experience, he added, "we are seeing a seismic shift in the use of open source."
A specific example was the prevalence of the Zlib compression library that's very common in clients' software collections. More telling was the survey they did for the "hundreds of Zlib instances" Palamida found. It turns out that 70 percent of the Zlib installations Palamida found were below the version Zlib's own creators recommended for the most secure version (Zlib 1.2.3). And that was a recommendation the Zlib team made in July, 2005.
From this perspective, Palamida makes a compelling case why their services are required. Still, I could not help but ask what Palamida thought about being a partner in McAfee's Security Innovation Alliance Program... especially given McAfee's public stance on open source in McAfee's domain.
Tolliver took the pragmatic tack: "If you know what [software] you have and you are taking a stance to deal with it, you are being prudent."
As for the latest entrant in the IP management field, the HP-led FOSSology project, Tolliver was more enthusiastic.
"We think it's great when a big vendor has jumped into your space," he told me. "It validates open source software and it validates our marketplace."