ISVs Aim To Cure Licensing Woes

compliance

But where problems crop up, ISVs charge in. A pair of software companies, Black Duck Software and Palamida, hope to alleviate compliance headaches with applications that automatically vet code for open-source contributions.

For Palamida, the risks of co-mingled code aren't purely theoretical. The company was born from the ashes of a disaster. Before launching Palamida, its founders worked together at Cacheon, a now defunct dot-com. On the verge of signing a major deal with IBM, Cacheon's management team discovered that an engineer had used open-source code covered by the GPL (GNU General Public License) for a core part of its product. While Cacheon scrambled to deal with the implications of the GPL, which forbids proprietary derivative works, the deal stopped in its tracks—and never restarted.

"The software supply chain has really changed, and companies need to be able to answer the question, 'What's in my code?' " said Palamida CEO Mark Tolliver. Palamida, San Francisco, offers an application called the IP Amplifier to help customers answer that question. It's the second entrant into a market pioneered by Black Duck Software, which began selling its competing protexIP platform two years ago. Both products use proprietary scanning algorithms and massive databases of open-source code to scan clients' code for open-source components. Both products are sold by subscription—Black Duck charges based on the size of the client's code base, while Palamida prices according to the number of developers the client has.

Systems integrator Navica, San Carlos, Calif., began offering Black Duck's application last year. It's a good fit for clients interested in using open-source software but who are intent on carefully monitoring their code base, said Navica founder Bernard Golden. "Customers were saying, 'We want to take advantage of open-source; can you help us make sure we have the right processes in place to be sure that intellectual property is being handled correctly?' "

When problems are found, outsourced or heterogeneous software development operations are often to blame. The more cooks involved in making the sauce, the harder it gets to enforce development guidelines—and until recently, many companies didn't have formal policies governing the use of open-source code. When Black Duck, Waltham, Mass., opened for business, its first customers were companies like Cacheon that had run headlong into problems, recalls founder and CEO Doug Levin. Now, he's seeing more companies that view proactive code vetting as a sound investment.

Navica's Golden compares an investment in Black Duck's software to car insurance. "Ninety percent of the time you say, 'Why am I wasting my money on this?' And 10 percent of the time, you're really, really glad you have car insurance."

The problem is getting stickier as co-mingled code becomes pervasive in the industry. Microsoft, which famously called the GPL a cancer on the software industry, is a Palamida customer. Sun's move this month to release Java under the GPL cast into the wild millions of lines of code that legions of Java developers will check out. Like security companies responding to a new virus outbreak, Palamida and Black Duck immediately began working on updates to encompass the Java code.

Each company also is expanding into related compliance niches. Black Duck recently introduced exportIP, a code-analyzing tool that automatically checks software for compliance with U.S. export regulations. Palamida just launched IP Authorizer, a workflow system for managing decisions and approvals for using third-party and open-source software components.

Palamida won't disclose the size of its customer base, but Black Duck has attracted 200 clients and investments from Intel Capital, Red Hat and SAP Ventures. Levin said demand is strong for Black Duck's SMB-focused hosted service, which enables developers to essentially rent Black Duck's platform and check their code over the Web.