Palamida has released its list of the top five most overlooked open source vulnerabilities.
Often, developers embed popular open source code while developing applications that do not fall in the normal software procurement process. Businesses and users need to take ultimate care to ensure that they are up-to-date with the latest patches in order to reduce uncertainty and secure their software from security attacks.
Open source code is "not any more vulnerable than commercial software" and in some cases, less so, said Palamida CEO Mark Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.
Showing posts with label Palamida. Show all posts
Showing posts with label Palamida. Show all posts
Managing Risk
Palamida recently announced an important new focus area - security. Most corporations use open source software, and Palamida helps its clients determine whether they are in compliance with open source licenses. Now, Palamida also determines whether its customers are vulnerable to over 400 open source security issues, 148 of which are defined as High-Severity Common Vulnerability and Exposures. (These include cross-site scripting and buffer overflows, to SQL injections.) As Mark Tolliver, CEO of Palamida, put it, "Open source is inherently no more risky than commercial software. The majority of open source projects provide a patched version to any issue within hours of discovery. Users of open source, however, need a way to quickly and accurately verify what components they are using and associate them with known vulnerabilities so they can retrieve updated versions. Without a mechanism in place to perform this function, organizations put themselves at risk for introducing security vulnerabilities into their code base." Here's a link to Palamida's press release on the subject.
Standards Procedure
The final release of the open source GPL version 3 license is about to go live, and Palamida CEO Mark Tolliver has been very popular with reporters who are trying to gauge the impact of the shift.
"GPL 3 will certainly force awareness of licensing issues to grow, tools like ours or others that can detect and report on licenses and incompatibilities will be a standard part of peoples' IP use and software development environment," Tolliver said.
"To operate without that in this world of increasingly complex licensing will be more difficult and more risky."
"GPL 3 will certainly force awareness of licensing issues to grow, tools like ours or others that can detect and report on licenses and incompatibilities will be a standard part of peoples' IP use and software development environment," Tolliver said.
"To operate without that in this world of increasingly complex licensing will be more difficult and more risky."
The Source
Palamida announced today that it has increased the size of its compliance library even further. This library now includes:
- Over 780,000 open source project versions
- 140,000 unique open source projects
- 10 million Java names
- Over 392 million open source files
- Nearly 7 billion source code snippets
- Over 390 million binary files
Palamida Emerges from the Pack
The Silicon Valley/San Jose Business Journal named Palamida as an Emerging Technology Award Finalist.
"We are excited to recognize the achievements of these emerging companies in technology-rich Silicon Valley," said Vintage Foster, publisher of the Silicon Valley/San Jose Business Journal. "The companies we are celebrating have pioneered technologies with the potential to profoundly impact people and their businesses."
"We are excited to recognize the achievements of these emerging companies in technology-rich Silicon Valley," said Vintage Foster, publisher of the Silicon Valley/San Jose Business Journal. "The companies we are celebrating have pioneered technologies with the potential to profoundly impact people and their businesses."
Palamida Is in Good Company
Yesterday, Palamida's Mark Tolliver was on stage with Microsoft's Steve Ballmer and Novell's Ray Lane to announce Microsoft's pact with Novell to support broad collaboration on Windows and Linux interoperability and support. Here's an excerpt from an article in eWeek:
Mark Tolliver, chief executive of San Francisco-based Palamida, who was on hand at the news event to support Microsoft's play, said, "I think this just raises the idea that people who use software need to be informed customers."
Tolliver likened the situation to that of the world of processed foods, where consumers can find out the nutritional makeup of the goods they purchase. The same should be true for software, he said. And Palamida's software enables enterprises to gain visibility into their software code bases and find out whether there is open-source code present and which licenses apply.
Tolliver said the Microsoft deal with Novell makes plain that more enterprises will need to take stock of what exactly is in their code, and opens opportunity for companies like Palamida.
"We're moving into a zone in the software world driven by this mixed open-source/proprietary-source community, and with commercial software having to intermingle with this huge amount of open-source software," Tolliver said.
He said Palamida was invited to the announcement by Microsoft, which "has been one of our customers for some time," and that Microsoft asked Palamida to sit in as a domain expert. "Our role was to be on hand as a firm who spends all day everyday on intellectual property and license compliance issues."
Here's a description of the day's events from Palamida's blog.
Mark Tolliver, chief executive of San Francisco-based Palamida, who was on hand at the news event to support Microsoft's play, said, "I think this just raises the idea that people who use software need to be informed customers."
Tolliver likened the situation to that of the world of processed foods, where consumers can find out the nutritional makeup of the goods they purchase. The same should be true for software, he said. And Palamida's software enables enterprises to gain visibility into their software code bases and find out whether there is open-source code present and which licenses apply.
Tolliver said the Microsoft deal with Novell makes plain that more enterprises will need to take stock of what exactly is in their code, and opens opportunity for companies like Palamida.
"We're moving into a zone in the software world driven by this mixed open-source/proprietary-source community, and with commercial software having to intermingle with this huge amount of open-source software," Tolliver said.
He said Palamida was invited to the announcement by Microsoft, which "has been one of our customers for some time," and that Microsoft asked Palamida to sit in as a domain expert. "Our role was to be on hand as a firm who spends all day everyday on intellectual property and license compliance issues."
Here's a description of the day's events from Palamida's blog.
Do No Evil
Palamida helps companies answer the question, "What's in your code?" Sometimes, the answer is just plain funny. This comes from the Recent Finds section of Palamida's Web site ...
Over the course of auditing hundreds of projects in our M&A service work, we have seen it all. We keep mental track of some our favorite finds. And at the top of the list is always the blessing that comes with the SQLite database engine. SQLite is a C library that implements an embeddable, zero-config SQL database engine. The source code for SQLite contains no license because it public domain code. Instead of a license, the source code offers a blessing:
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give
It's not every day that your source code both provides functionality and words to live by.
Over the course of auditing hundreds of projects in our M&A service work, we have seen it all. We keep mental track of some our favorite finds. And at the top of the list is always the blessing that comes with the SQLite database engine. SQLite is a C library that implements an embeddable, zero-config SQL database engine. The source code for SQLite contains no license because it public domain code. Instead of a license, the source code offers a blessing:
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give
It's not every day that your source code both provides functionality and words to live by.
Open Season on Open Source Apps
The Picky VC takes on open source applications. Once again, he lets the chips fall where they may ...
At the risk of incurring the [wrath of] those who have already placed bets on the near-term successiirgk of open source enterprise apps, I'd like to point out a few structural impediments to near-term mass adoption of these "products." Oops, did I upset the open source purists by calling them products instead of "projects?" Well, I hope they are products, since the CIO does not want to buy your cool work in progress.
At the risk of incurring the [wrath of] those who have already placed bets on the near-term successiirgk of open source enterprise apps, I'd like to point out a few structural impediments to near-term mass adoption of these "products." Oops, did I upset the open source purists by calling them products instead of "projects?" Well, I hope they are products, since the CIO does not want to buy your cool work in progress.
No Fish Story
Red Herring offers some insight into Palamida's recent funding announcement.
Analysts are optimistic about the potential market for open source licensing and compliance management software. Dana Gardner, a principal analyst with Interarbor Solutions, said the market could reach “dozens of millions just in the short term.”
Mr. Gardner said that the risk associated with just “one or two big lawsuits” justified the investments in managing software properly.
Analysts are optimistic about the potential market for open source licensing and compliance management software. Dana Gardner, a principal analyst with Interarbor Solutions, said the market could reach “dozens of millions just in the short term.”
Mr. Gardner said that the risk associated with just “one or two big lawsuits” justified the investments in managing software properly.
Palamida Closes New Round
Palamida just announced that it has closed a new round.
Palamida, a provider of software intellectual property (IP) management and compliance products and services, today announced that it has raised $8 million in its second round of venture capital financing. The Series B funding, which was led by Mitsui & Co. Venture Partners, includes Series A investors Hummer Winblad Venture Partners and WaldenVC.
"The international reach and reputation that Mitsui & Co. Venture Partners brings to Palamida will be invaluable as we expand worldwide, and we are very pleased that they are joining our existing investors," said Mark Tolliver, Palamida CEO. "The world of software development has changed, and today's software projects contain contributions from many sources, including open source. This 'mixed code' model demands increased attention to issues of intellectual property integrity, security and governance, and has created an exciting opportunity to help our customers ensure that their software assets are visible, traceable and manageable."
Palamida, a provider of software intellectual property (IP) management and compliance products and services, today announced that it has raised $8 million in its second round of venture capital financing. The Series B funding, which was led by Mitsui & Co. Venture Partners, includes Series A investors Hummer Winblad Venture Partners and WaldenVC.
"The international reach and reputation that Mitsui & Co. Venture Partners brings to Palamida will be invaluable as we expand worldwide, and we are very pleased that they are joining our existing investors," said Mark Tolliver, Palamida CEO. "The world of software development has changed, and today's software projects contain contributions from many sources, including open source. This 'mixed code' model demands increased attention to issues of intellectual property integrity, security and governance, and has created an exciting opportunity to help our customers ensure that their software assets are visible, traceable and manageable."
What's in Your IP?
Yesterday, Palamida listed the IP used in IP Amplifier 3.2 and launched IPIngredients.org, a Web site that includes other open source projects and applications that publish their IP components. Industry observers applauded the move.
Dana Gardner, principal analyst at research firm Interarbor Solutions, said the effort by Palamida is a good idea and is a bit surprised something like this wasn't brought up sooner. Knowing what's inside the code is a smart idea, he said, whether you're an ISV, hosting organization or an enterprise. "It makes so much sense based on liability, exposure to lawsuits, copyright issues, where you can go in terms of indemnifying your own customers," he said. "It's something of a coming-of-age issue with open source software in general and really across all software."
Dana Gardner, principal analyst at research firm Interarbor Solutions, said the effort by Palamida is a good idea and is a bit surprised something like this wasn't brought up sooner. Knowing what's inside the code is a smart idea, he said, whether you're an ISV, hosting organization or an enterprise. "It makes so much sense based on liability, exposure to lawsuits, copyright issues, where you can go in terms of indemnifying your own customers," he said. "It's something of a coming-of-age issue with open source software in general and really across all software."
So Sue Me
Lloyd's of London is offering an open source insurance policy. Just one more data point illustrating that the market that Palamida is attacking is large and growing.
Software as a Service
I have been watching software pricing models struggle from my time on the Oracle pricing committee in the late 80's to being a CEO with a subscription model in 2000, to being a VC looking for SaaS investments today. I think this is both a very promising area for investment and also an area that requires careful selection.
1. The vast majority of enterprise software does not lend itself to SaaS pricing. I wish it did, but it doesn't. My thought is that the only time you are likely to succeed with a use-based model is when the vendor is continuously delivering new value and service beyond the traditional software upgrades. Many enterprise apps categories don't really do this. Companies buy an app, customize it to their unique needs, and try not to change it. This applies in general to Supply Chain (too much custom integration here to use a vanilla app) and ERP (also the need for secrecy and security favors a behind-the-firewall model). Why has CRM succeeded for SalesForce? Because the best practices sales process is very similar across many companies AND the hosted architecture is a natural for geographically distributed sales teams. I have bought SalesForce for 3 companies now and barely had to modify it ... perfect for SaaS. Other software types which do not favor SaaS are all forms of middleware or many infrastructure products like Network Mgmt.
2. The cheapest alternative for the customer is often a license. When selling subscription software, I have often been told by CIOs that "we can start off on a subscription, but if this thing really takes off, I will need to bring it in-house." This is due to both security issues as well as a realization that if the CIO can lock in a price one time, he will likely pay less in the long run. Hell, this is the way CIOs have been buying software for the last 20 years, so don't expect them to easily accept a perpetual stream of payments forever - especially when many subscriptions are set to one third of typical perpetual license prices. That math is pretty easy. CIOs often say that they simply need to have perfect cost visibility over time. While I understand all the arguments against this view, most still feel uncomfortable signing up to big annual subscription payments that will inevitably lapse and set up a renewal renegotiation wherein the vendor has too much leverage.
3. All this will change, but slowly. I have been looking for investments in SaaS over the last 3 years and have seen a few areas that truly do favor a subscription model. I have seen a few lead management companies like Blue Roads in San Mateo that offer a hosted system to track and distribute leads to partners. The hosted service is a perfect architecture for this problem, since the IT group really doesn't want 10,000 partner sales reps all tunneling through their firewall to get to their internal CRM system. There is high value in Blue Roads running this system 24 x 7, and for it, one pays a subscription fee. Similar stories apply to hosted PLM companies that allow design partners or supply chain partners to collaborate on products or bills of material. Our newest investment for WaldenVC is a company called Palamida. Every night, the Palamida system spiders the Internet to find more new software components, many of them open source. It then allows software developers to identify what components they have in their own code bases and what licenses might apply. As we all know, the dirty little secret of enterprise software is that no one really knows exactly what is in a large code base. Now there is a way to find out. Like an anti-virus system, the value of Palamida is only realized with a continuous process to audit code and look for newly added components. Thus, the system is purchased as a subscription just like anti-virus. Again, the architecture fits the SaaS model ...
I hope I see more markets start to accept SaaS, but progress will be slow, since many companies own their software outright and have fear about cost visibility or value. Look for SaaS to take off where it makes sense and in new areas where old investments are not still being depreciated.
1. The vast majority of enterprise software does not lend itself to SaaS pricing. I wish it did, but it doesn't. My thought is that the only time you are likely to succeed with a use-based model is when the vendor is continuously delivering new value and service beyond the traditional software upgrades. Many enterprise apps categories don't really do this. Companies buy an app, customize it to their unique needs, and try not to change it. This applies in general to Supply Chain (too much custom integration here to use a vanilla app) and ERP (also the need for secrecy and security favors a behind-the-firewall model). Why has CRM succeeded for SalesForce? Because the best practices sales process is very similar across many companies AND the hosted architecture is a natural for geographically distributed sales teams. I have bought SalesForce for 3 companies now and barely had to modify it ... perfect for SaaS. Other software types which do not favor SaaS are all forms of middleware or many infrastructure products like Network Mgmt.
2. The cheapest alternative for the customer is often a license. When selling subscription software, I have often been told by CIOs that "we can start off on a subscription, but if this thing really takes off, I will need to bring it in-house." This is due to both security issues as well as a realization that if the CIO can lock in a price one time, he will likely pay less in the long run. Hell, this is the way CIOs have been buying software for the last 20 years, so don't expect them to easily accept a perpetual stream of payments forever - especially when many subscriptions are set to one third of typical perpetual license prices. That math is pretty easy. CIOs often say that they simply need to have perfect cost visibility over time. While I understand all the arguments against this view, most still feel uncomfortable signing up to big annual subscription payments that will inevitably lapse and set up a renewal renegotiation wherein the vendor has too much leverage.
3. All this will change, but slowly. I have been looking for investments in SaaS over the last 3 years and have seen a few areas that truly do favor a subscription model. I have seen a few lead management companies like Blue Roads in San Mateo that offer a hosted system to track and distribute leads to partners. The hosted service is a perfect architecture for this problem, since the IT group really doesn't want 10,000 partner sales reps all tunneling through their firewall to get to their internal CRM system. There is high value in Blue Roads running this system 24 x 7, and for it, one pays a subscription fee. Similar stories apply to hosted PLM companies that allow design partners or supply chain partners to collaborate on products or bills of material. Our newest investment for WaldenVC is a company called Palamida. Every night, the Palamida system spiders the Internet to find more new software components, many of them open source. It then allows software developers to identify what components they have in their own code bases and what licenses might apply. As we all know, the dirty little secret of enterprise software is that no one really knows exactly what is in a large code base. Now there is a way to find out. Like an anti-virus system, the value of Palamida is only realized with a continuous process to audit code and look for newly added components. Thus, the system is purchased as a subscription just like anti-virus. Again, the architecture fits the SaaS model ...
I hope I see more markets start to accept SaaS, but progress will be slow, since many companies own their software outright and have fear about cost visibility or value. Look for SaaS to take off where it makes sense and in new areas where old investments are not still being depreciated.
Subscribe to:
Posts (Atom)