How big a problem is the use of plaigerized foreign code?
This is difficult to know. Apparently Gartner has estimated that by 2012 at least 80 percent of all commercial software products will include elements of open-source code.” I’m not sure how you get to a conclusion like that, but I can see how trends in the industry make it easier to inadvertently use plagiarized code.
First of all there’s lots of code that is covered by no license whatsoever that you can xerox to your heart’s content without violating any kind of law. Secondly we are now getting used to patching in “plug-ins” at least we are if we build much for the web, because there are a wealth of plug-ins that available in most software ecosystems such as WordPress, Joomla, Drupal, etc. If you build something using one of these environments you have no idea whether the plug-ins you’re using contain copied code.
Thirdly companies now outsource a good deal of coding (to India and other exotic places). When they do that, they have minimal oversight of how the code is developed. So every now and then stolen code stories emerge.
Finally some programmers carry their own libraries and reuse them. Even if they wrote it themselves, the legal IP and/or copyright ownership is murky.
What Does Protecode Do That’s Different?
The Protecode approach is nicely pragmatic. It really is a plug-in - currently to Eclipse, but soon to support .Net and other environments if demand arises. As it’s a plug-in, you just plug it in and it starts doing its thing, which is to:
- Detect all external code in real-time, as it is introduced, and log it
- Identify ownership and licensing issues
- Apply whatever policies are defined for handling introduced code.
- Provide reports that itemize and summarize.
Protecode’s business plan is provide its product free to various Open Source efforts and charge corporations a per-seat fee for use of the product. It will be interesting to see how much success the company has.
So why would you choose Protecode rather than the alternatives. The major point of differentiation is that Protecode works in real-time as part of th development process applying policy at the point that programmers attempt to introduce code. It’s proactive rather than reactive.
Subscribe to HaveMacWillBlog in a reader
Thanks so much for the mention in your blog. I’d like to provide some clarification though for your readers. Palamida’s focus since late 2007 has been application security for open source code. While we do still detect possible IP violations, this falls under a much larger umbrella of application security. Ensuring that developers, engineering and security teams can vet their code pre-deployment against business, legal and vulnerability risks. With the largest database of open source and third party components in the industry - including open source projects no longer in current use but still in existence within mission critical apps - Palamida helps eliminate undocumented code.
Last year, Palamida reviewed over 500 million lines of code, of which, over 50% was undocumented within the organizations we assisted. Of THAT, a very significant percentage contained vulnerabilities.
In today’s security and compliance-centric climate, it’s important that organizations fold open source app sec into their processes.
[...] 7. Protecode: Protecode had a fairly obvious idea, but like a lot of good ideas, it’s obvious only in retrospect. The time to check whether you’re likely to violate a software license is when you’re including someone else’s code in code you’re writing - not after it’s written. You really don’t want to suddenly discover you need to rewrite bits of a program because you violated someone’s GPL. For more on this see Protecode: Keeping Your Nose Clean, Proactively [...]
[...] In the first situation the downloaded code will (or should) go through all the proper governance procedures, including quality control, eventually emerging with some IT Department “seal of approval”. The main worry then is whether you have the legal right to use the code. There’s no easy way to be sure of this without using an automated capability - from one of the 3 vendors; Black Duck, Protecode or Palamida who operate in this area. There are postings on Black Duck and Protecode. [...]
Leave A Reply