The Devil In The Code: Vendors Vet For Open-Source Compliance
For Palamida, the risks of commingled code aren't purely theoretical. The company was born from the ashes of a disaster. Before launching Palamida, the company's founders worked together at Cacheon, a defunct dot-com that didn't survive the meltdown. On the verge of signing a major deal with IBM, Cacheon's management team discovered that an engineer had used open-source code covered by the GPL (GNU General Public License) for a core part of their product. While Cacheon scrambled to deal with the implications of the GPL, which forbids proprietary derivative works, the deal stopped in its tracks -- and never restarted.
"The software supply chain has really changed, and companies need to be able to answer the question 'what's in my code?'" said Palamida CEO Mark Tolliver.
Palamida, based in San Francisco, offers an application called the IP Amplifier to help customers answer that question. It's the second entrant in a market pioneered by Black Duck Software, which began selling its competing protexIP platform two years ago. Both products use proprietary scanning algorithms and massive databases of open-source code to scan clients' code for open-source components. Both products are sold by subscription; Black Duck charges based on the size of the client's code base, while Palamida prices according to the number of developers the client has.
Systems integrator Navica, in San Carlos, Calif., began offering Black Duck's application to its clients last year. Navica founder Bernard Golden says it's a good fit for clients interested in using open-source software but intent on carefully monitoring their code base.
"Customers were saying 'We want to take advantage of open-source; can you help us make sure we have the right processes in place to be sure that intellectual property is being handled correctly?'" Golden said. When problems are found, outsourced or heterogeneous software development operations are often to blame. The more cooks involved in making the sauce, the harder it gets to enforce development guidelines -- and until recently, many companies didn't even have formal policies governing the use of open-source code. When Black Duck, based in Waltham, Mass., opened for business, its first customers were companies like Cacheon that had run headlong into problems, recalls founder and CEO Doug Levin. Now, he's seeing more companies that view proactive code vetting as a sound investment.
Navica's Golden compares an investment in Black Duck's software to car insurance. "Ninety percent of the time you say, 'Why am I wasting my money on this? And 10 percent of the time, you're really, really glad you have car insurance.'"
The problem is getting stickier as commingled code becomes pervasive in the industry. Microsoft, which famously called the GPL a cancer on the software industry, is a Palamida customer. Sun's move this month to release Java under the GPL cast into the open-source world millions more lines of code that legions of Java developers will check out. Like security companies responding to a new virus outbreak, Palamida and Black Duck immediately began working on updates to encompass the Java code.
Each company is also expanding into related compliance niches. Black Duck recently introduced exportIP, a code-analyzing tool that automatically checks software for compliance with U.S. export regulations. Palamida just launched IP Authorizer, a workflow system for managing decisions and approvals for using third-party and open-source software components in the development process.
Palamida won't disclose the size of its customer base, but Black Duck has attracted 200 clients and investments from Intel Capital, Red Hat and SAP Ventures. Levin said demand is particularly strong for Black Duck's SMB-focused hosted service, which enables developers to essentially rent Black Duck's platform and check their code over the Web.
"The thing we're seeing these days is 'early and often,'" Levin said. "Companies are getting more and more involved in software compliance early in the process."
