Intellectual-Property Threats Open The Market For Detection Software

Now that the threat of being sued for improper use of open-source code has been unleashed, a market is developing for automated tools that detect the presence of open-source within larger application development environments. Palamida Inc. Monday stepped into this nascent market with IP Amplifier 3.0, essentially a search tool and a database that consists of more than 38 million of the most commonly used open-source files.

The SCO Group, through its landmark lawsuit against IBM, gets much of the credit for stirring up demand for automated tools that compare intellectual property against open-source source code. Companies use these tools to audit and catalog applications prior to major transactions, such as a product purchase or the acquisition of a software vendor. Such tools become increasingly important to companies that outsource their application development to developers working in component-based, object-oriented environments, says Palamida co-founder Theresa Bui Friday. "You've got developers working around the world who are making business and legal decisions you should be aware of," she says.

IP Amplifier's Detector search tool checks binary, source, and other file types, including images, icons, text documents, or XML, within a user's development environment against IP Amplifier's Compliance Library, a database hosted at the user's site. By the end of the year, Palamida will add a feature to IP Amplifier that provides its customers with live updates to their Compliance Libraries, much the way antivirus software vendors provide updates to their customers. IP Amplifier produces the results of its searches in XML format so that these results can be reported using standard reporting tools, such as Crystal Reports from Business Objects SA.

Palamida on Monday also announced the appointment of a former Sun Microsystems executive to head the company. Mark Tolliver, who most recently served as Sun's chief marketing and strategy officer, takes the helm of Palamida as its president and CEO. Tolliver was with Sun for 10 years, previously serving as president and general manager of iPlanet, a division of Sun focused on Internet infrastructure software.

Palamida's product serves much the same purpose as software introduced over the past year by Black Duck Software Inc. Black Duck most recently in March introduced a hosted version of its protexIP software, designed to help companies identify open-source code being used in their IT environments and ensure that code is being used properly.

Friday, along with Jeff Luszcz, and Ray Waldin, founded Palamida in 2003 with funding from Hummer Winblad Venture Partners, WaldenVC, and Stanford University. Palamida in December closed a $5 million round of Series A funding.

Friday and her colleagues learned the hard way of the need for open-source auditing tools and applied that lesson in creating Palamida. A few years ago, they were in the process of launching Cacheon Inc., a startup that made an application for automating software platform migrations, such as from one middleware platform to another, when trouble struck. Shortly before signing a licensing deal with IBM, Cacheon discovered that one of its developers had used open-source code governed by the General Public License to write the product's source-code analysis feature. The presence of GPL-protected code within Cacheon's proprietary product complicated the relationship with IBM, and the deal fell through.

The pressure to meet product-development deadlines affects all software developers, who try to mitigate this pressure by using pre-packaged code whenever possible. Free open-source source software is a way to create shortcuts without necessarily requiring management signoff. "We understand that the reality of software today is that it's assembled," Friday says. "We had 20 developers (working for Cacheon), and they were on six development cycles."

The presence of open-source code is causing concern among business executives, says Mark Radcliffe, a partner and co-chair of the Technology Transfer Group of law firm DLA Piper Rudnick Gray Cary USA LLP. "Almost anything you acquire these days has software in it," says Radcliffe, who also serves pro bono as general counsel to the Open Source Initiative, a nonprofit corporation that manages the open-source trademark. "It's not infrequent that people tell us they're not using open source, and that winds up not being the case."

Companies in violation of open-source licenses can be subject to penalties, as Fortinet U.K. Ltd. learned in mid-April when a Munich district court banned the U.K. subsidiary of Fortinet Inc. from further distribution of their firewall and antivirus products until they complied with GPL conditions, which they did later in the month. The case came to the court's attention when a GPL watchdog group known as the GPL-violations.org project accused the company of using GPL-governed software in certain products and then using cryptographic techniques to conceal its open-source software usage.

Now that a market for open-source detection software is opening up, potential users should examine carefully how these products work before choosing the right one for their business. For example, it's important to know whether these products examine both binary and source code, Radcliffe says. Companies also should consider how comprehensive the Black Duck and Palamida back-end databases are and how often their search tools produce false-negative results, he adds.

Palamida charges $50,000 to $250,000 for an annual subscription to IP Amplifier. Cost depends upon the size of the customer's development environment. Black Duck charges an annual fee starting at $25,000 for its protexIP/development product. The company also offers a hosted version of its product, called protexIP/OnDemand. ProtexIP/OnDemand users essentially rent 90-day sessions during which one user can scan up to 10 Mbytes of code against a hosted database for a $3,000 fee. OnDemand's cost and size scale up to $25,000 for 100 Mbytes of code.