Palamida Datasheet Enterprise Edition

DATA S HE E T

Palamida Enterprise Edition The First Application Security Solution for Open Source

Palamida Enterprise Edition At A Glance Targeted towards organizations concerned with managing both vulnerabilities and IP issues that can arise from using undocumented open source • Facilitates sharing of relevant data across teams: engineering, security, legal and management • Includes comprehensive detection techniques to protect against security vulnerabilities and IP violations due to false negatives • Sends vulnerability and IP alerts to appropriate stakeholders for remediation • Provides centralized dashboard for 360° view of risks that could impact mission critical application • Establishes registry of authorized open source components, licenses and secure versions for standardized use across the organization

Palamida Enterprise Edition is an end-to-end solution that identifies, assesses, and manages open source vulnerabilities, compliance issues, and license concerns within custom-built software applications. By creating visibility into software content, Palamida Enterprise Edition helps engineering, security, and legal teams manage and secure their use of open source software: • Document Your Open Source Usage: Ensure rapid and accurate analysis of custom-built applications, provide an inventory of open source components and their location within your code base, and report on associated vulnerabilities, license and copyright information. • Assess Your Exposure to Risk: Provide a reliable framework for security and IP stakeholders to receive alerts of issues as they arise, assess violations against established policies, and document the decisions around remediation. • Manage Compliance and Collaboration: Assist in establishing procedures, implementing policy and enabling collaboration for approval and/or registry of open source use prior to inclusion within applications.

Document Your Open Source Usage Vulnerability and IP Detection Engines Software developers have almost one million popular open source project versions (and counting) to choose from when building custom applications, an enormous benefit in terms of cost and time savings. However, most open source use remains undocumented – without formal record of its existence within your mission critical applications and products. Identifying which components, versions and even partial components have been actually adopted, after the fact, is time consuming and difficult. Without this level of documentation, it is difficult for development, security, and legal teams to fully assess the risk level of mission critical applications. Palamida’s specialized vulnerability and IP detection engines leverage patent-pending technology to detect the components, versions and even partial component code that have been used. Detection capability spans binary files, source code, Java name spaces, copyright, license and user-specified search terms across multiple languages including Java, JavaScript, C#, C/C++, Perl, Python, PHP and Visual Basic. The ability to analyze binary files and archives means that the detection engines can find open source use, even when source code is not available – something not possible with manual analysis or simple in-house tools. The vulnerability engine leverages data derived from multiple sources including the National Vulnerability Database, sponsored by the Department of Homeland Security, to identify and report on vulnerable versions of components found in your code base. Users receive an open source inventory, descriptions of projects, and relevant Common Vulnerability Enumerations and severity. In addition, the software pinpoints the exact location of the open source inside the code base for remediation.

Concise reporting on known vulnerabilities for all detected open source The vulnerability and IP detection engines leverage the industry’s largest index of open source components. The index is continuously growing and currently includes: • 884,000 versions of open source projects and associated licenses

Vulnerability and IP Analyzers The nature of code reuse in the open source development model makes accurate identification and the review of false positive matches tedious. Palamida’s technology includes identification algorithms that provide automated analysis ranging from source

• 8 billion source code fingerprints

code snippet matches to component and version level usage. Java™ Auto-inventory, based on a patent-pending

• 500 million binary files

Java analysis algorithm and specialized database of millions of Java namespace names, provides accurate,

• 13 million Java namespace names • Over 4,500 popular open source project versions and associated vulnerability alerts

automated identification of Java projects – virtually eliminating the need for manual analysis of source code. Additional detectors are specifically tuned for the highest levels of automated identification across all languages.

Assess Your Exposure to Risk Dashboard Providing relevant information appropriate to individual stakeholders across a cross-functional team is challenging. Palamida Enterprise Edition turns data into actionable and measurable information with an alert-

Palamida Enterprise Edition is capable of scanning source files of all kinds: .c .h .cpp .hpp .cxx, .java, .js, .pl, .pm, .php, .py, and .vb. If source code is not available, the software can detect licenses, java namespaces, binary files, copyright text, and even text files as part of its identification of open source usage.

based reporting system that provides pertinent information based on each person’s functional role. The dashboard provides a centralized view of the documentation, assessment and monitoring of open source use. It provides vulnerability and IP alerts, and allows users to drill down on details and assign issues for remediation. For executive managers, the dashboard provides the ability to track security and IP violations across the enterprise. For security teams, Palamida reports on known vulnerabilities for detected open source components. With oneclick, you will know exactly where vulnerabilities may impact deployed applications. This level of detail allows you to focus on remediation with precision and speed. At the same time, legal stakeholders see a summary of the inventory of open source components, compliance

CodeRank™ is a patented system for classifying open source code snippet matches. By evaluating snippets on multiple levels – uniqueness, coverage, and clustering – CodeRank lists the most relevant matches first.

status, and license and copyright information, to address intellectual property problems before they arise. Since one size does not fit all, you can customize reports to tailor information for specific roles in your organization. Reports can be easily and securely distributed to select people when you need to share data.

At-a-glance view of enterprise vulnerability and IP exposure Key Benefits:

Manage Compliance and Collaboration Policy Manager Preventing undocumented code from entering a code base is more cost-effective than remediating associated problems after application deployment. Palamida Enterprise Edition allows managers to establish both security and IP policies based on the business requirements of their organizations. Final inventory of open source software and associated vulnerability and IP intelligence can be included as part of release readiness criteria before application deployment. Legal and security teams can create open source policies and compliance can be checked during the development process. Lawyers can set license policies, such as blacklisting specific license types and versions, while security managers can set usage policies such as whitelisting specific open source component versions that have been reviewed and approved. Engineering teams can shorten the development time by ensuring compliance with established policy early in the process. They can easily determine what components are approved so that they use the correct versions in their work, reducing rework from late detection. When a new module is needed, the system triggers a request process to ensure that all the appropriate information regarding version, use, license, and vulnerabilities are documented.

Adapts to Existing Processes and IT Environments The software is designed for integration with existing development tools and processes. The Palamida API, based on the Groovy scripting language, facilitates the integration of the Palamida Enterprise Edition with other applications, including existing build environments such as IBM BuildForge, IBM Clearcase, Subversion, Borland Gauntlet, etc. Through such integration, incremental scans can be automatically triggered for specific builds, ensuring that any new issues are found promptly and can be acted on appropriately.

• Make open source use decisions visible, documented part of development process • Provide audit trail regarding open source use • Enable “conditions of use” as part of open source security and IP policy rules

Palamida Products Portfolio In addition to the Enterprise Edition, Palamida also provides the Standard Edition and Compliance Edition. Standard Edition is designed for organizations whose primary concerns are managing vulnerability alerts and version updates. Compliance Edition is designed for organizations whose primary concerns are intellectual property issues regarding license compliance and conflicts. Enterprise Edition

Standard Edition

• • • • • • •

• •

Vulnerability Detection Engine Vulnerability Analyzer IP Detection Engine IP Analyzer Dashboard Policy Manager Integration Framework

• • •

Compliance Edition

• • • • •

Technical Specifications Server Recommendations: Hardware

16 GB Memory (32 GB recommended)



2.4 Ghz or higher CPU



64 bit CPU - Intel/Opteron



300 GB disk space

Operating Systems Windows XP (64-bit) - SP2

Windows Vista (64-bit)



Fedora Core 7 (64-bit)



Red Hat Enterprise 4 (64-bit)

Software

Java JDK 1.5.0

About Palamida, Inc. Palamida is the industry’s first application security solution exclusively for Open Source Software that uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues, enabling organizations to cost-effectively manage and secure mission critical applications and products.

Contact Us For more information on how Palamida can help your organization mitigate risk and meet both corporate standards and security and regulatory compliance, contact us at [email protected] or (415) 777-9400 x 123.

215 Second Street 1st Floor San Francisco, CA 94105 P: 415.777.9400 F: 415.777.5800 www.palamida.com

© 2008 Palamida, Inc. All rights reserved. Palamida and the Palamida logo are trademarks of Palamida, Inc. All other trademarks and registered trademarks are the property of their respective holders.