Skip to main content

Palamida Launches Open Source Vulnerability Reporting Solution

Palamida announced that it has extended the reach of its extensive compliance library and launched a new service, the Vulnerability Reporting Solution (VRS). VRS works seamlessly with Palamida’s code audit compliance solution, IP Amplifier, to identify, prioritize, and report known vulnerabilities within open source code used in customers’ projects.

Access to readily available code resources, geographically distributed development teams, and increasing time-to-market pressures have given rise to the blending of homegrown, third-party and open source component. The sheer size of today’s typical software projects coupled with the number of contributing developers makes it difficult and time consuming for companies to get an accurate assessment of their software assets: What do they have? Where did it come from? What are its intellectual property and security risks?

Thorough risk mitigation calls for more than just firewalls and virus scanning, it requires code level protection against legal, financial and security risks – it requires solutions robust enough to identify software intellectual property challenges and known vulnerabilities in the code base.

Existing vulnerability analysis solutions scan customers’ proprietary code to identify potential vulnerability holes due to coding practices such as buffer overflow and similar problems. The VRS complements these tools to further enhance the IT Governance process by both pinpointing the use of open source content and reporting on known vulnerabilities based on aggregated information from many sources.

“Successful IT Governance requires risk mitigation at the code level,” said Mark Tolliver, CEO of Palamida. “By combining our scanning and detection technology with the excellent content available through repositories such as the National Vulnerability Database, we are able to bring a new level of transparency and confidence to enterprise use of open source software.”

The VRS is the perfect complement to vulnerability analysis implementations and further extends the breadth and depth of Palamida’s existing compliance library – the industry’s largest and most comprehensive database of its type.

“Due to the nature of our business, we are committed to both security and efficiency,” notes Stephen Chen, Managing Director of SEC Ventures. “Palamida’s Vulnerability Reporting Solution, delivers the depth and insight necessary for us to rectify any potential security issues, if found, in a quick and efficient manner.”

"As an open source technology with a huge user base, it's very important to us to spot any new security vulnerabilities immediately," said Ron Park, VP of Engineering at MuleSource. "Palamida's VRS enables our development team to track and remediate any open source vulnerabilities as they arise - giving us the ability to proactively address them, rather than react to them. Palamida's VRS provides us with a lot of value."

Composed of 3 Terabytes worth of content, Palamida’s library contains over 140,000 OSS projects, 780,000 versions, 7 billion source code snippets, 10 million Java namespaces, 500 million binary file IDs, and Java, C/C++, Perl, Python, PHP, C#, VB signatures among other components.

The VRS provides relevant and timely information on open source vulnerabilities by leveraging data from the National Vulnerability Database (NVD), a comprehensive cyber security database sponsored by the Department of Homeland Security, run by the National Institute of Standards and Technology, with Common Vulnerability and Exposure (CVE) data from The MITRE Corporation. The NVD integrates all publicly available US government vulnerability resources and provides references to industry resources for the purpose of assisting with remediation efforts. The NVD currently contains over 23,700 known vulnerabilities in total, 89 US-CERT issued alerts, and 1,900 US-CERT vulnerability notes. There are an average of 19 new CVEs added to the NVD each day.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.