Palamida Datasheet Compliance Edition

DATA S HE E T

Palamida Compliance Edition The First Application Security Solution for Open Source

Palamida Compliance Edition At A Glance • Targeted towards companies primarily concerned with managing open source license obligations, restrictions, and conflicts • Includes comprehensive detection techniques to protect against IP violations due to false negatives

Palamida Compliance Edition is a complete end-to-end solution that identifies, assesses, and manages open source license and copyright to secure the intellectual property inside custom-built applications. It is designed for companies whose primary concerns are managing open source license obligations, restrictions and conflicts. Today’s software developers don’t need to reinvent the wheel. Often, innovation results from combining successful software projects with new components in creative ways. Leveraging open source code reduces costs, accelerates development cycles and enables innovation. In fast-paced development environments, assessing risks associated with using third-party intellectual property is easily overlooked. By creating visibility into open source software use, Palamida Compliance Edition helps software engineering and legal teams manage their open source software use effectively:

• Establishes license policy and review process of open source before inclusion into code base

• Document Your Open Source Usage: Ensure rapid and accurate analysis of custom-built applications, provide an inventory of open source components and their location within your code base, and report on associated license and copyright information.

• Tracks compliance to established polices via IP alerts to protect against unintentional IP infringement

• Assess Your Exposure to Risk: Provide a reliable framework for IP stakeholders to receive IP alerts as they arise, assess violations against established policies, and document the decisions around remediation.

• Creates an audit trail of decisions surrounding open source use

• Manage Compliance and Collaboration: Assist in establishing procedure, implementing license policy and enabling collaboration across organization stakeholders for approval of open source use prior to inclusion inside applications.

Document Your Open Source Usage IP Detection Engine Software developers have almost one million popular open source project versions (and counting) to choose from when building custom applications, an enormous benefit in terms of cost and time savings. However, most open source use remains undocumented – without formal record of its existence within your mission critical applications and products. Identifying which components, versions and even partial components have been actually adopted, after the fact, is time consuming and difficult. Without this level of documentation, it is difficult for development and legal teams to fully assess the risk level of mission critical applications.

At-a-glance enterprise view of IP exposure

Palamida Compliance Edition is capable of scanning source files of all kinds: .c .h .cpp .hpp .cxx, .java, .js, .pl, .pm, .php, .py, and .vb. If source code is not available, the software can detect licenses, java namespaces, binary files, copyright text, and even text files as part of its identification of open source usage.

Palamida’s specialized IP detection engine leverages our patent-pending technology to detect the projects, versions and portions of component code that have been used. Detection capability spans binary files, source code, Java name spaces, copyright, license and user-specified search across multiple languages including Java, JavaScript, C#, C/C++, Perl, Python, PHP and Visual Basic. The ability to analyze binary files and archives means that the detection engines can find open source use, even when source code is not available. Specialized engines for open source license and copyright detection help pinpoint issues specifically around intellectual property risk management. Applying a massive multi-pattern search technology to open source licenses, the software is able to identify license text and associate the correlating product files to the matches. Copyright detection finds copyright notices in code files to enable quick identification of parts of the code base not owned by your company. It also enables users to sort and categorize your code base by unique copyright

CodeRank™ is a patented system for classifying open source code snippet matches. By evaluating snippets on multiple levels – uniqueness, coverage, and clustering – CodeRank lists the most relevant matches first.

holders – something very difficult to do in manual analysis or using simple in-house tools. The IP detection engine leverages the industry’s largest index of open source software identifiers and specialized databases to provide project detail, license, and copyright information. The index is continuously growing and currently includes signatures for: • 884,000 versions of open source projects and associated licenses • 8 billion source code fingerprints • 500 million files • 13 million Java namespace names

IP Analyzer The nature of code reuse in the open source development model makes accurate identification and the review of false positive matches tedious. Palamida’s technology includes multiple automated identification algorithms that enable users to see results ranging from detailed source code snippet analysis, to reports at the component level. For example, Java™ Auto-inventory, based on a patent-pending Java analysis algorithm and specialized database of 10 million Java namespace names, provides accurate, automated identification of Java projects and virtually eliminates the need for manual analysis of source code. Additional point detectors are specifically tuned for the highest levels of automated identification across all languages.

Automated license reports for fast identification of policy violations

Assess Your Exposure to Risk Dashboard Providing relevant information that is appropriate to individual stakeholders across a cross-functional team is challenging. Palamida turns data into actionable and measurable information with an alert-based reporting system that provides pertinent information based on each person’s functional role. The dashboard provides a centralized view of the documentation, assessment and monitoring of open source use. It provides IP alerts and allows users to drill down on details and assign issues for remediation. For executive managers, the dashboard provides the ability to track IP violations across the enterprise. Lawyers will see a summary of the inventory of open source components, compliance status, license information, product description, and copyright information to allow for quick remediation before problems arise. The detailed reports provided are also customizable. Since one size does not fit all, you can set up multiple, customized reports to tailor the information for specific roles in your organization. Reports can be easily and securely distributed to select people when you need to share data.

Manage Compliance and Collaboration Policy Manager Preventing undocumented code from entering a code base is more cost-effective than remediating associated problems after application deployment. Palamida Compliance Edition allows managers to establish IP policies based on the business requirements of their organizations. Final inventory of open source software and associated IP intelligence can even be included as part of release readiness criteria before application deployment. Policy manager allows lawyers to put in place license policies that can be audited for compliance during the development process. Legal teams can set policies, such as blacklisting specific license types and versions, mandate conditions of use, and track acknowledgment of use conditions by engineering teams. Using policy manager, engineering teams can shorten the software development lifecycle. They can easily determine what components are approved so that they use the correct versions in their work. When a new module is needed, the system triggers a request process to ensure that all the appropriate information regarding version, use, and license is included. The request can be automatically compared to a company’s customized policy of approved and unapproved components and even licenses, providing an instant approval or denial. For components not previously authorized, the request is forwarded to appropriate managers for review. The request arrives with a rich set of information that allows managers to make proper legal decisions and enables them to compare the current

With policy manager, lawyers make policy decisions that can persist across the organization or be specified as one-time use only. This “smart” functionality fuels efficiency gains over time as the number of policy rules expand, saving legal teams and managers valuable time in reviewing licenses and usage criteria that have been previously reviewed.

request against past projects and existing IP policies. An approval or denial can be quickly issued or sent back for more information. With visibility of all requests, managers can set the IP policy for each project, track all in-bound components and analyze compliance against existing policy.

Adapts to Existing Processes and IT Environments Palamida solutions are designed for integration with existing software development tools and processes. The Palamida API, based on the Groovy scripting language, facilitates the integration of the Palamida Compliance Edition with other applications, including existing build environments such as IBM BuildForge, IBM Clearcase, Subversion, Borland Gauntlet, etc. Through such integration, incremental scans can be automatically triggered for specific builds, such as release candidates, ensuring that any new issues are found promptly and can be acted on appropriately.

Palamida Products Portfolio In addition to the Enterprise Edition, Palamida also provides the Standard Edition and Compliance Edition. Standard Edition is designed for organizations whose primary concerns are managing vulnerability alerts and version updates. Compliance Edition is designed for organizations whose primary concerns are intellectual property issues regarding license compliance and conflicts. Enterprise Edition

Standard Edition

• • • • • • •

• •

Vulnerability Detection Engine Vulnerability Analyzer IP Detection Engine IP Analyzer Dashboard Policy Manager Integration Framework

• • •

Compliance Edition

• • • • •

Technical Specifications Server Recommendations: Hardware

16 GB Memory (32 GB recommended)



2.4 Ghz or higher CPU



64 bit CPU - Intel/Opteron



300 GB disk space

Operating Systems Windows XP (64-bit) - SP2

215 Second Street 1st Floor San Francisco, CA 94105 P: 415.777.9400 F: 415.777.5800 www.palamida.com



Windows Vista (64-bit)



Fedora Core 7 (64-bit)



Red Hat Enterprise 4 (64-bit)

Software

Java JDK 1.5.0

About Palamida, Inc. Palamida is the industry’s first application security solution exclusively for Open Source Software that uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues, enabling organizations to cost-effectively manage and secure mission critical applications and products.

© 2008 Palamida, Inc. All rights reserved. Palamida and the Palamida logo are trademarks of Palamida, Inc. All other trademarks and registered trademarks are the property of their respective holders.

Contact Us For more information on how Palamida can help your organization mitigate risk and meet both corporate standards and security and regulatory compliance, contact us at [email protected] or (415) 777-9400 x 123.