Protecode Launches Realtime Scanner for Code Pollution
by Guest Editor - Mar. 17, 2008Comments (0)- Related Blog Posts
- OStatic Interviews Cisco Developer Contest Finalists: Team Enhancers
- OStatic Interviews Cisco Developer Contest Finalists: Team RSDevs
- Cisco Developer Contest Finalists: Team CampUser
- Red Hat: Right On the Radar of Cisco, HP, Dell, IBM and Microsoft
- Cisco Announces 10 Finalists in its Linux App Contest
By Alistair Croll
When a PC gets a virus, it has to be cleaned. Content produced since the infection is often lost. Developers face a different kind of infection risk: IP violations. Whether it's open source code, a copyrighted library, or someone else's subroutines, code can carry baggage. Now startup Protecode wants to watch developers in real time, right in the IDE, to flag violations before they ruin an entire release.
In March, 2003, Cisco acquired Linksys. But in June of that year, hackers poked around one of the company's best-selling home routers, the WRT54G, and found that its firmware was based on Linux—and the GNU General Public License. This forced Linksys to make the code open source in July, 2003, letting users enhance the router for free. Of course, for the open source community, this worked out perfectly. But for Cisco and Linksys, the outcome wasn't so great. It happened again to Cisco's Skype phone in 2007, and as recently as December, 2007, Verizon was called out for using GPL code in its FiOS routers.
The open source community pursues violations fairly aggressively. In June, 2006, the GPL enforcement project hit its "100 cases finished" mark, with a 100% legal success rate. GPLv3 makes it harder than ever for someone to use open source code without respecting the license terms. And some open source organizations think that in the era of Sarbanes-Oxley, the impact of GPL violations could have consequences that go beyond just having to share source code.
Antivirus tools employ a file scanner that periodically checks files against known virus signatures. And in the code inspection world, it's no different. Companies like Black Duck Software and Palamida have built businesses scanning open source code.
But scanning for viruses only catches them after the fact, and by that time they've run loose in the file system and done their damage. This is why antivirus software also includes a real-time engine that watches for suspicious activity every time a user opens a file, reads a mail, or visits a site. Now Ottawa-based startup Protecode wants to bring this kind of real-time approach to IP protection.
When a developer violates IP policies by using code from the wrong license, he can "pollute" all code from that point on. If it's not caught immediately, the result can be devastating, forcing the company to either reveal its source or scrap an entire branch. Protecode's CEO, Mahshad Koohgoli, saw an opportunity to integrate IP protection into development systems directly.
Koohgoli sold Nimcat Networks to Avaya in 2005. As with many deals, there was a holdback provision in case something went wrong. "When a company gets M&A offers, they get asked, 'what's in it?' and get an unconfident answer," said Richard Mayer, Protecode's VP of Marketing.
On March 5, 2008, the company joined the Eclipse Foundation. And on March 17, Protecode unveiled an Eclipse plug-in that monitors developer actions such as cut, paste, drag, and drop, and compares code to a global signature repository to detect violations or plagiarism. "Most code contamination is unintentional," said Mayer. "Licenses are complex and people aren't aware of company policies."
Protecode's repository is stored online, and an administrator can define policies for code use with various licenses such as BSD, MIT, and GPL. Administrators can also run reports on when portions of code were added, providing audit trails and a code "pedigree."
Today, the system works for Java and Eclipse, and uses signatures from many open source projects. But Protecode plans to let software firms submit code signatures publicly. For example, Oracle might submit signatures for its embedded protocol stacks. That way, if someone brought code from a previous stint at Oracle to their new gig, the new employer would be warned of the violation.
The goal isn't to rat out coders, but rather to stop the spread of IP pollution. "We have a strong privacy policy, and need to specifically not let signatures 'leak' across vendors," said Mayer. He thinks real-time IP protection will soon become mandatory. "One of our advisors said that it's willful negligence not to use this kind of tool once it's generally available and affordable."
Do you think Protecode's solution will make a difference?
Comments
