Targeting Open-Source Security Bugs
Seeking to spot potential security vulnerabilities in systems that increasingly rely on open source software, software license optimization vendor Flexera Software has acquired a specialist in identifying potentially vulnerable software components.
Flexera, Itasca, Ill., said Thursday (Oct. 27) it is acquiring San Francisco-based Palamida Inc. Terms of the transaction were not disclosed.
The deal represents an expansion of Flexera's software license compliance business model to include security monitoring in the "under-managed world" of open source software components.
As open source software works its way into nearly every aspect of enterprise IT platforms, security concerns are growing with each new data breach. In announcing the deal for Palamida, Flexera executives cited the Heartbleed bug, a vulnerability to a popular OpenSSL cryptographic software library that exploded in 2014.
"Software developers didn't know enough about the open source components used in their own products to understand whether their software was vulnerable [to Heartbleed]—and their customers using that software didn't know either," asserted Flexera CEO Jim Ryan.
Open source advocates have acknowledged as much. In response to the Heartbleed bug, the Linux Foundation launched a secure coding effort last year called the Secure Infrastructure Initiative. Linus Torvalds, the father of the Linux kernel, acknowledged last year that most of the security issues related to open source development have been "completely stupid bugs that no one really would have thought of as having security issues."
"You're never going to get rid of bugs [and] security is never going to be perfect." Torvalds added. "Anybody who thinks that we will be entirely secure is just not being realistic. We will always have issues."
Open source advocates argue that mitigating bugs should involve multiple layers of security so that one software component with a bug will be caught by the next component.
Flexera said Palamida's approach tracks open source and third-party code development projects to monitor for vulnerabilities as well as license compliance. The company said Palamida's "software composition analysis" tools would be folded into its existing software vulnerability database used primarily to detect open source security vulnerabilities.
"Organizations are only just now beginning to look more closely at the costs and risks of open source," Ryan added in a statement. The Palamida acquisition extends "our ability to help customers manage the compliance and security risk inherent in the under-managed, uncharted world of open source software components."
Flexera is betting that the ubiquity of open source software components in emerging applications such as the Internet of Things along with a steady stream of high-profile data breaches—including last week's Mirai botnet distributed denial of service attack—will boost enterprise requirements for risk management tools.
Flexera noted that software developers frequently do not track the open source components incorporated into their projects, or whether open source software complies with licensing terms. The deal for Palamida provides licensing compliance vendors with a new capability to monitor open source software for vulnerabilities that can be exploited by hackers.