The Devil In The Code: Vendors Vet For Open-Source Compliance

But where problems crop up, ISVs charge in. A pair of software companies, Black Duck Software and Palamida, aim to alleviate compliance headaches with applications that automatically vet code for open-source contributions.

For Palamida, the risks of commingled code aren't purely theoretical. The San Francisco-based company was born from the ashes of a disaster: Its founders had worked together at Cacheon, a now-defunct dot-com. On the verge of signing a major deal with IBM, Cacheon's management team discovered that an engineer had used open-source code covered by the GNU General Public License (GPL) for a core part of their product. While Cacheon scrambled to deal with the implications of the GPL, which forbids proprietary derivative works, the deal stopped in its tracks and never restarted.

"The software supply chain has really changed, and companies need to be able to answer the question, 'What's in my code?' " Palamida CEO Mark Tolliver said.

Palamida IP Amplifier application is designed to help customers answer that question. It's the second entrant in a market pioneered by Black Duck Software, which began selling its protexIP platform two years ago. Both products use proprietary scanning algorithms and massive databases of open-source code to scan customers' code for open-source components. The products are sold by subscription. Black Duck charges based on the size of the client's code base, and Palamida prices according to the number of developers that the client has.

San Carlos, Calif.-based systems integrator Navica began offering Black Duck's application to its customers last year. Navica founder Bernard Golden said the product is a good fit for clients who are interested in using open-source software but intent on carefully monitoring their code base.

"Customers were saying, 'We want to take advantage of open source. Can you help us make sure we have the right processes in place to be sure that intellectual property is being handled correctly?' " Golden said.

When problems are found, outsourced or heterogeneous software development operations are often to blame. The more cooks involved in making the sauce, the harder it gets to enforce development guidelines. And until recently, many companies didn't even have formal policies governing the use of open-source code.

When Waltham, Mass.-based Black Duck opened for business, its first customers were companies like Cacheon that had run into problems, said Black Duck founder and CEO Doug Levin. Now he's seeing more companies that view proactive code vetting as a sound investment.

Navica's Golden compares an investment in Black Duck's software to car insurance. "Ninety percent of the time you say, 'Why am I wasting my money on this?' And 10 percent of the time, you're really, really glad you have car insurance."

The problem, though, is getting stickier as commingled code becomes pervasive in the industry. Microsoft, which famously called the GPL a cancer on the software industry, is a Palamida customer. Sun's move this month to release Java under the GPL cast into the open-source world millions more lines of code that legions of Java developers will check out. Like security companies responding to a new virus outbreak, Palamida and Black Duck immediately began working on updates to encompass the Java code.

Each company, too, is expanding into related compliance niches. Black Duck recently introduced exportIP, a code-analyzing tool that automatically checks software for compliance with U.S. export regulations. Palamida just launched IP Authorizer, a workflow system for managing decisions and approvals for using third-party and open-source software components in the development process.

Palamida won't disclose the size of its customer base, but Black Duck has attracted 200 customers plus investments from Intel Capital, Red Hat and SAP Ventures. Levin said demand is particularly strong for Black Duck's SMB-focused hosted service, which enables developers to essentially rent Black Duck's platform and check their code over the Web.

"The thing we're seeing these days is 'early and often,' " Levin said. "Companies are getting more and more involved in software compliance early in the process."